On Thu, May 29, 2014 at 11:16:58PM -0700, John Gilmore wrote:
> Or, do you have an actual, substantive, technical issue with the
> proposed extension of the DANE TLSA records?
Turf wars aside, either the TLS extension document could document
the DANE implications (including the point about when it is safe
to signal "oob public key" when the client intends to use DANE
auth) or a new DANE draft gets to document the TLS implications
(including that same point).
So some overlap is unavoidable. For example, the SMTP and OPS
drafts already talk about requiring "2 X Y" trust anchor certs in
server_certificate TLS messages, these are optional with PKIX.
My gut feeling is that since the issue applies only to clients for
which "oob" means "DANE", there should at least be a DANE WG document
that covers this perhaps among other topics.
Would it be a problem if this got covered consistently in multiple
documents? From the perspective of an implementor it would be
helpful to see this covered in which-ever document I happened to
be reading when adding bare public key support.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
