In which exact IETF mailing-list or which exact group are doing discussion on SRV rr draft, and on SMTP rr draft ?
I think i have seen SMTP rr draft here (in [email protected]), am i wrong ? -- Bright Star. Received from Viktor Dukhovni, on 2013-05-25 7:42 AM: > On Sat, May 25, 2013 at 08:30:52PM +1000, oneofthem wrote: > >> 1. Is DANE finished? Ready to go, rock and roll? > > The TLSA RR has been standardized. What remains to do is to define > how TLSA records are to be used in various application protocols. > > For application protocols that use SRV records there is a draft in progress. > There is another draft for SMTP based on the SRV draft since MX records > are similar to SRV records. > > I have proposed two recent drafts (see the list archives) that address in > more detail how applications that can't use the existing public CA PKI > should interact with DANE (in particular SMTP) and also some implications > for various corner cases. > > I have also proposed that applications "follow CNAMEs" to derive > the base domain for TLSA records. It remains to be seen whether > this will gain any traction. > > OpenSSL does not yet provide ready-to-use DANE verification code, > so applications based on OpenSSL have to roll their own. This will > change at some point, though I hope in not too soon, since the > required changes are invasive, and need some time for the design > and implementation to be validated. > >> 2. Is it possible for DANE to replace the CA system currently in place? > > For server domains that have deployed DNSSEC, and applications > where clients have DNSSEC validating caching resolvers (or have > chosen to embed DNSSEC capable stub-resolvers directly in application > code) it is possible to bypass the existing public CA PKI. > > Just publish TLSA records with usage "3" or perhaps "2", and with > usage "2" make sure to include the TA cert in the server's TLS > handshake certificate chain. >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
