Matt Miller and I submitted a new version of draft-ietf-dane-srv today.
We have a few questions for the WG...
1. In Section 4.1, we discuss how to proceed if there are no TLSA
records, only SRV records. This section assumes that the presented
certificate is a "traditional" PKIX cert. Therefore we do not take into
account raw public keys as specified in draft-ietf-tls-oob-pubkey. Do
folks here think we need to address, or at least mention, the raw keys case?
2. Also in Section 4.1, we say:
###
SRV is secure: The reference identifiers SHALL include both the
service domain and the SRV target server host name (e.g., include
both "im.example.com" and "xmpp23.hosting.example.net"). The
target server host name is the preferred name for TLS SNI or its
equivalent.
In the latter case, the client will accept either identity to ensure
compatibility with servers that support this specification as well as
servers that do not support this specification.
###
Remember that the reference identifiers are what the client uses when
determining if the certificate is acceptable (cf. RFC 6125). The
reasoning here is that if the client allows only the target server host
name as a reference identifier then it won't be able to connect to older
servers that don't yet support dane-srv, whereas if it allows only the
source domain as a reference identifier then it won't be able to connect
to newer servers that support only dane-srv. For the sake of
interoperability, supporting both seems like the best approach. Does
that justify the SHALL here? And is this the best place in the document
for this information?
Thanks!
Peter
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
