On Thu, Sep 19, 2013 at 10:10:35PM +0000, Viktor Dukhovni wrote:
> Agreed on PKIX-TA vs. PKIX-CA.
On second thought, I am not so sure, the CA constraint with usage
0, is NOT a trust-anchor, the trust-anchor is still the PKIX root CA.
This usage requires the presence of a given CA (root or intermediate)
in the chain, but does not promote that CA to a trust anchor (as
with usage 2). So perhaps the original PKIX-CA is in fact better.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
