On Thu, May 30, 2013 at 02:53:21PM +0200, Jakob Schlyter wrote:
> > So with Usage 2 the own CA can be everything, from an online CA,
> > storing the private key in the public accessible webroot, enabling
> > everyone who recognized it to issue certs for the domain by himself.
>
> There is not practical difference between usage 2 and 3 - it is
> just a choice of levels of indirection.
There is a big difference in the implementation robustness. With usage
3 the client looks only at the peer certificate or public key.
- The server operator cannot accidentally leave out the required
intermediate CAs from his chain (one of the most frequent
administrator caused failure modes for TLS).
- The client does not perform name checks, so a lot less can fail.
Therefore, while 2 and 3 are very similar in theory (when administrators
don't make mistakes and client implementations are bug free), the
usage 3 TLSA RR is far more likely to be robust in practice.
I'll add something to the operations draft about usage 3:
- Servers SHOULD use a certificate with subjectAltname DNS entries
that matches the base domains of all relevant TLSA RRs even with
usage 3, because some client implementations may erroneously insist
on checking the subject name in usage 3 certificates.
- Clients MUST ignore the subject name in usage 3 cerficates, checking
for a matching certificate or public key is the only check the client
needs to perform.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
