On Wed, May 22, 2013 at 11:13:42AM +0200, Christian Becker wrote:
> what is the intended outcome validating a record TLSA 2 x x, where the
> specified trust anchor certificate was already revoked by a CA? Does
> PKIX certification path validation include revocation checks?
With certificate usages "2" and "3" there is no PKIX validation
above the trust-anchor or EE certificate respectively. The party
publishing the TLSA RR is responsible for updating the TLSA record
when the certificate in question is no longer trustworthy. This
is properly a responsibility of the domain owner, I should add a note
about this to the next revision of the ops draft...
Any other feedback for the draft?
> RFC 6698 says "The target certificate MUST pass PKIX certification path
> validation, with any certificate matching the TLSA record considered to
> be a trust anchor for this certification path validation."
Trust anchors can't be revoked, the verifier has to remove to them
from their trust store. With DANE the picture is better, the domain
owner can do this once for all verifiers by publishing a new TLSA
RRset that uses a non-compromised TA.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
