>>>>> "VD" == Viktor Dukhovni <[email protected]> writes:
VD> Therefore, the final proposal for DANE-EE(3) is that only name VD> checks and expiration checks are out of scope. This applies whether VD> the selector is Cert(0) or SPKI(1). However, when *all* TLSA records VD> are "IN TLSA DANE-EE(3) SPKI(1) ?", implementations that support the VD> proposed bare public key TLS extension, may signal that extension, VD> in which case if the server cooperates, in effect the rest of the VD> certificate is ignored (in fact never transmitted). VD> Any comments? Can the above be the final consensus on this topic? That seems reasonable. Some software stacks may make that difficult easily to accomplish. At least in the short term. But such libraries can be fixed. So, +1. -JimC -- James Cloos <[email protected]> OpenPGP: 1024D/ED7DAEA6 _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
