Viktor,
On Thu, Jan 16, 2014 at 12:35:49PM -0500, Stephen Nightingale wrote:
Granted the cert even for Cert Use DANE-EE(3) must be well-formed in
order to see what's in it.
But I believe Victor's main point is that the only field *value*
that matters for DANE-EE(3) is the Public Key. Issuer, Common Name
and SubjectAltName are just deckchairs.
Correct, the point is that DANE verification makes no use of these values,
if however underlying libraries are likely to object, certificates like
this should perhaps be avoided. Note however, that this means that a
certificate with an empty subject DN can never be self-signed.
yep.
I'll strive to avoid publishing examples that are likely to fail
interoperability tests. For what it is worth, OpenSSL does not
mind empty subject and issuer DNs even without a SAN extension, if
the application layer does not object. The DANE verification code
I wrote on top of OpenSSL likewise does not object with usage
DANE-EE(3).
OpenSSL is a collection of libraries which do not represent a
reference implementation of 5280 or X.509 standards.
So my instructions to users will have to suggest something like:
openssl req ... -subj "/CN=?"
for self signed certificates that are intended solely for DANE-EE(3) use.
Using the question mark seems OK, better than an asterisk, which might
be interpreted by some as a widlcard.
Steve
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
