On Mon, Feb 23, 2015 at 09:29:07PM +0000, Kevin San Diego wrote:
> I'm trying to get to speed on the DANE implementation in Postfix, it
> appears to support only DANE certificate usage 2 (Trust anchor assertion)
> and 3 (Domain-issued certificate). Is there a particular reason why the
> public CA-signed certificate types wouldn't be supported as these are more
> likely (as of today, at least) to be installed on business and commercial
> platforms?
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-3.1.3
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-3.1.1
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-3.1.2
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-1.3.2
> Extract from http://www.postfix.org/TLS_README.html#client_tls_dane:
> "The Postfix SMTP client supports only certificate usages "2" and "3"
> (with "1" treated as though it were "3"). See
> tls_dane_trust_anchor_digest_enable
> for usage "2" usability considerations. Support for certificate usage "1" is
> an experiment, it may be withdrawn in the future. Server operators SHOULD NOT
> publish TLSA records with usage "1"."
The support for usage "1" simply pretends that the server operator
published the right server certificate digest with the wrong usage
and treats "1" as though it were "3".
--
Viktor.
