Viktor Dukhovni wrote: > > I may have gone a bit further than necessary. The main goal is to > make DANE authentication usable in protocols with no user to "click > OK". To this end I want to avoid the most common operational > failures with PKIX. Therefore I propose that: > > - In addition to name checks, expiration checks also be > performed via the TLSA RR signature lifetime, rather than > the certificate expiration date. The TLSA record is updated > frequently as the DNSSEC zone is periodically re-signed. This > ensures that there are no surprise expirations. Certificates > can be replaced at the operator's convenience. > > Any comments? Can the above be the final consensus on this topic?
I strongly dislike this idea, and would really appreciate instead a requirement that any X.509 certificates that are generated for use with DANE-EE(3) *MUST* be generated with a sufficiently liberal validity period that interop is not going to break if a DANE client enforces the X.509 asserted validity period. -Martin _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
