>>>>> "VD" == Viktor Dukhovni <[email protected]> writes:
Fist of all, thank you for all of the questions. Questions from implementors are an important part of the process and the ensuing dialog should help tlsa progress towards Full Standard. VD> Are servers that publish their trust anchor details via DNS in full: VD> _25._tcp.mail.example.com. IN TLSA 2 0 0 <DER cert in hex> VD> exempt from being obligated to provide the same certificate somewhere VD> in their trust chain? I had a probably too long answer written, but after reading the rfc a couple more times, and notwithstanding our early discussion here (some of which would have supported permitting elision), I've concluded that the text in ยง2.1.1: ,----< 2 -- Certificate usage 2 ... > | The target certificate MUST pass PKIX certification path validation, | with any certificate matching the TLSA record considered to be a | trust anchor for this certification path validation. `---- means that the cert has to be included in the tls startup negotiation; it cannot be elided. VD> I am also hoping that ... in practice all TLSA records will be VD> sha2 digests. Sha2 matches should be documented as the Best Practice for TLSA. -JimC -- James Cloos <[email protected]> OpenPGP: 1024D/ED7DAEA6 _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
