Types 0 and 1 were included because some expressed interest in continuing to rely on the existing PKI, but with extra confirmation from DANE. They very much wanted to have the TLSA only as an added check, hence the language in the rfc and many of the replies in this thread.
Which is why, when I agreed that ignoring the CN and subjectAltName certainly makes sense for type 3, I didn't comment on type 1. I think that the type 0 and 1 supporters feel that keeping the tlsa as only an extra validation is more important than any other consideration. Skipping the name checks with type 1 doesn't bother me, and will not stop me from continuing to use pf or from enabling the tlsa lookups (if it is to be configurable). But I can understand the positions and motives of those who want complete adherence to the legacy pki model when using tlsa type 1. Even though I strongly prefer the type2/type3 model. -JimC -- James Cloos <[email protected]> OpenPGP: 1024D/ED7DAEA6 _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
