On Apr 19, 2013, at 10:25 PM, Viktor Dukhovni <[email protected]> wrote:
> Server: Via DNS: My TA digest is 12345 > Server: Via TLS handshake: my certificate chain is A, B, C > Client: Sees that none of A, B, or C have 12345 as their digest. > Does not have any certificates in hand with digest 12345 > (no presumption of this with certificate usage 2). > Verification fails. > > Therefore: > > Observation: If server does not want the client to fail, include > the TA cert in the chain A, B, C, D (assuming, for example, that > D is the missing TA certificate that signed C). > Yes. And there are probably other valuable operational considerations that are not in RFC 6689 that you and others are discovering as well. These should be captured in an RFC that updates RFC 6689. That way, future developers and implementers can find them in a widely-distributed and stable document series. If the WG wants to add this to the charter, I would be willing to be editor again. However, I think that an actual implementer and/or operator of DANE services would probably be a better editor (nudge, nudge Viktor). If the WG doesn't want to add this to the charter (or if the AD does not was us to add this to the charter), an operational document such as this that updates RFC 6689 is a completely reasonable thing for individual submission. --Paul Hoffman _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
