On Thu, Oct 02, 2014 at 05:05:14PM -0400, Doug Montgomery wrote:
> And how is that definitively distinguishable from that email identity never
> having a CERT in DANE in the first place?
It is not, but identities can have multiple associated certificates,
and in fact need to do so during key rotation. The proposal seems
to suggest a revocation of the "identity" rather than a particular
key and this seems to be operating at the wrong granularity.
Ignoring everything but the CU with usage 4 eliminates the option
of revoking key "A" while publishing a replacement key "B".
Explicit revocation is not a good idea in DANE, the DNS publishes
a sufficiently current state of the world, not a stale assertion
with a one year TTL. It is I think a mistake to ask where the
handbrake goes on a boat, when one happens to be more familiar with
cars.
In any case if CU=4 is to be a DANE revocation record, it should
have a meaningful selector, matching type and association data.
It shold be an explicit revocation of just the matching certificate
or public key (whether it be associated with a trust-anchor or an
end-entity).
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
