On Mon, 20 Oct 2014, Osterweil, Eric wrote:
For what it’s worth, I think the proposed text was exactly inline with what you both are suggesting. The suggestion was a way to help enterprises express their needs (under some circumstances) a little more cleanly in DNS. For example, a single DANE TA could be used to authorized all of an organization’s S/MIME users, and selective ``user-no-longer-valid'' (i.e. revocation) entries could override this. This could definitely allow for the fact that the S/MIME cert of a ``user-no-longer-valid'' employee was once valid, but not at the time of querying DNS. As you both point out (I believe), this is different than other notions of revocation.
For email addresses that are no longer valid, we have an SMTP error code that prevents delivery. The SMIME and OPENPGPKEY records are not substitutes for "is a valid email user" and it would needlessly complicate the records. Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
