On Tue, Mar 05, 2013 at 02:57:31PM -0500, James Cloos wrote:
> I think that the type 0 and 1 supporters feel that keeping the
> tlsa as only an extra validation is more important than any other
> consideration.
And yet logic leads us to observe that since the choice of certificate
usage type is made by the domain owner and not the client, the
domain owner gets exactly the desired semantics by never generating
TLSA "1 x y" RRs where the name inside the cert is not the host
fqdn. The client name check is then always redundant, since the
certificate always matches.
We can create additinal space for domain owners that want to choose
1, but don't want to consume the full legacy PKI banquet, they just
want the revocation support main-course. They should be able to do
so by generating non-matching (different name inside the cert) TLSA
"1 x y" records.
This way everyone is happy. Why should the domain owner's choice
to be constrained by clients given that the domain owner, who
defines TLSA records can equally publish 0, 2, 3 or other future
certificate usages at their pleasure?
I would like to suggest that the substance of TLSA being an additional
check in 0/1 is completely retained when name checks are optimized
out with 1 (as with compiler optimization of constant expressions),
since the name checks would always succeed if made for domains
that want this. To quote the Mikado:
It's like this: When your Majesty says, "Let a thing be done,"
it's as good as done---practically, it is done---because your
Majesty's will is law. Your Majesty says, "Kill a gentleman,"
a gentleman is told off to be killed. Consequently, that
gentleman is as good as dead---practically, he is dead---and
if he is dead, why not say so?
No name checks need to happen, because they automatically match
for the domains that want name matches, and never match for those
that don't.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
