Hi Viktor, my apologies about the seriously delayed reply.
On 12/19/13, 10:30 AM, Viktor Dukhovni wrote:
On Thu, Dec 19, 2013 at 08:07:10AM -0800, [email protected] wrote:Filename : draft-ietf-dane-srv-03.txt Date : 2013-12-13Section 5 (no exception for usage 3): Section 7 (MUST and SHOULD on server name are too strong): Section 10.3 (no exception for usage 3): This still conflicts with the smtp-with-dane and ops drafts with respect to name checks (server identity checks) in usage 3. In the two conflicting documents usage 3 certificates are validated exclusively by matching against DANE TLSA RRs. No name checks, key usage checks, expiration checks, ... apply with usage 3. Rather, the binding of the EE certificate to the service end-point is entirely established by the DNSSEC TLSA record (also its validity lifetime is the lifetime of the TLSA record). Correspondingly, all requirements on the content of the server certificate are relaxed with usage 3, it may, if desired, contain no identity information.
You are right. We will update the document to properly account for usage 3 scenarios.
Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
