On 12/31/18 2:21 PM, Viktor Dukhovni wrote: >> On Dec 31, 2018, at 2:01 PM, zorion <[email protected]> wrote: >> >> Ok, I had a hard time finding out what exactly the *trust-anchor* was >> supposed to be. I took a guess that it was the combined cert chain, but >> obviously that is not it. > A trust-anchor is any issuing CA you designate as trusted, and it does > not have to be a root CA, it can also be any intermediate CA.
Thank you for the explanation! >> What exactly is the trust-anchor? Is it the top level cert from the CA >> in the chain (#4 in your danecheck below)? > It is any of 2, 3 or 4. The important constraint with DANE-TA(2), as > explained in https://tools.ietf.org/html/rfc7671#section-5.2.2, is > that if you do choose a root CA as your trust-anchor, unlike the > case in non-DANE PKIX protocols, it MUST be sent to the client along > with the intermediate issuer certificates. Would that be the smtp_tls_CAfile option in postfix? I've got an intermediate bundle that I provide to that option in main.cf > To compute the digest of a CA certificate, create a PEM file containing > just that certificate. Or use my "chaingen" script (attached), which > can process a complete chain of certificates, but DO NOT then publish > all the TLSA records it outputs. Publish no more than one TLSA record > per certificate in the chain, typically just the "3 1 1" for the EE > cert, and "2 1 1" for the TA certs. And no need to match at every > level. At most two trust anchors (typically just one) are enough. Thanks! Is there a benefit for also publishing the "2 1 1" TA certs if I'm already publishing the "3 1 1" EE cert? ps. accidentally only sent this directly to Viktor, sending it to the list.
