On Thu, Mar 07, 2013 at 07:05:37PM +0000, Tony Finch wrote:
> > But since HASTLS seems dead, please interpret "TLSA record present" as
> > "don't deliver without TLS"
>
> That is what my drafts require.
Speaking of the drafs, one point I'd like to see modified is the
MUST SNI requirement. I think it is too restrictive for two
reasons:
- Some servers will have a single multi-SAN certificate, that
meets the requirements of both legacy and DANE-aware clients
and so don't need to support SNI.
- Many (or perhaps even most) servers will publish "TLSA 3 1 1"
records, and we've just agreed (after bload sweat and tears)
that "TLSA 3 x y" won't need name checks. So just the legacy
name in the certificate suffices.
Therefore, the "MUST SNI" is I think a "SHOULD SNI", if the server
does not have a multi-name certificate, and its DANE cert usage
leads to some clients expecting a different name than others.
Doing SNI in Postfix would be a pain, and its never been needed
before, I'd like to keep it that way.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
