I just occurred to me that, given that oob is negotiated bewteen the client and the server, that the oob concept is !pkix, and any verification of the spki is conceptually identical, a tlsa 11x is just as usable by an oob client as a 31x is.
It does not matter than a typical full cert client would do a pkix verification on top of the tlsa verification when the tlsa is 11x. The oob client *and server* have agreed not to bother with pkix, so any ee-spki association is sufficient to verify the offerred spki. In other words, by agreeing to oob, the server gives the client consent to ignore any pki details about the verification. Only tlsa 0 and 2, which do not dirrectly reference the ee, are really unusable in the oob case. So the proper language probably is something like: End-Entity SPKI association via dane, ldap, firmare or any other pre-agreed method. -JimC -- James Cloos <[email protected]> OpenPGP: 0x997A9F17ED7DAEA6 _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
