> I[t] just occurred to me that, given that oob is negotiated bewteen the
> client and the server, that the oob concept is !pkix, and any
> verification of the spki is conceptually identical, a tlsa 11x is just
> as usable by an oob client as a 31x is.
Yes, in theory, any TLSA x 1 y record could be used to authenticate a
raw public key. (That is, any record whose selector is "public key"
as opposed to "cert".)
But rather than defining that clients should expect such things, I
think the WG should first define a canonical representation for a raw
public key in a TLSA record, and require that "raw public key" clients
MUST support that representation. This, then, will tell domain name
administrators what record format to use in the normal course of
publishing raw public keys with servers in their domain.
Then, as a separate and probably harder question, we should decide
what additional TLSA record formats that clients MUST, SHOULD, MAY, or
MUST NOT support.
John
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
