On Mon, Oct 07, 2013 at 08:20:10AM -0700, Jim Schaad wrote:
> However they would not use DANE-TA in the event that a key ring that was
> self-signed was to be used to validate a second key wrong.
[ Typo for "ring" as "rong" auto-corrected to "wrong".
"Damn you auto-connect!"
Oops, sorry: "Damn you auto-corrupt!"
Oh, never mind... ]
> In this case
> there is a root of trust (i.e. a TA) and then a second level signed PGP key
> which is used in the TLS session to do the appropriate things. This allows
> for the TLS key to be rotated more frequently. But there is no PKIX
> validation in this case and thus the use of DANE-TA, which seems logical, is
> wrong.
The DANE usages defined thus far are for TLS with X.509v3 certificates.
These may be self-signed, issued by a private self-signed TA, or
issued by a public CA.
I don't see where hypothetical PGP certificates fit in.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
