Re: [TLS] Why TLSA RR and not CERT RR?

Sun, 26 Jun 2022 13:30:09 -0700 

Thanks Eric!
I will use them in draft-ietf-drip-registries for our X.509 certs and our 'custom' attestation certs (private OID will be needed). And then the powers-that-be can sort it out as we move forward. 


But at least this way I can put forth the discussion point and the 
implementors can proceed with their PoC.


And most likely take it to a DNS list.  And hall talk at 114!

Bob

On 6/26/22 16:14, Eric Rescorla wrote:

I'm not aware of any major application which uses CERT records.

-Ekr



On Sun, Jun 26, 2022 at 6:41 AM Robert Moskowitz 
<rgm-...@htt-consult.com> wrote:


    Ah, RFC 6944...

    Yes, not a TLS issue; did not think it was, directly.  But I see.

    DIG, dig, dig..

    On 6/26/22 09:32, Robert Moskowitz wrote:

    Kind of thought so.

    So where do I ask where CERT records are being used?

    thanks

    On 6/26/22 09:22, Eric Rescorla wrote:

    Well, this really isn't a question for the TLS WG as DANE is
    external to TLS.

    With that said, ISTM that the primary purpose of DANE is to
    indicate which certificates are acceptable rather than to convey
    them, as TLS already knows how to convey them.

    -Ekr


    On Sun, Jun 26, 2022 at 5:05 AM Robert Moskowitz
    <rgm-...@htt-consult.com> wrote:

        Recently I have been in a discussion about DNS RR that hold
        X.509
        certificates.

        I am asking this here, as I *Think* there may be some
        knowledge here
        without me joining other lists...

        I was aware of DANE's rfc6698 that holds both X.509 certs or
        SubjectPublicKeyInfo.

        But I was pointed at rfc4398  Which does NOT handle
        SubjectPublicKeyInfo, but handles X.509 and other formats.

        Interesting that they both end in '98' and this is way after
        Jon was
        around seeing to how RFC numbers were assigned  :)

        What was the deciding point not to use 4398 for DANE?  (and
        now DANCE)

        What is 4398 currently used for?  Why was it not just
        updated to add
        SubjectPublicKeyInfo rather than add a new RR?

        And then there is rfc7250 which references 6698...

        Thank you.


        _______________________________________________
        TLS mailing list
        TLS@ietf.org
        https://www.ietf.org/mailman/listinfo/tls




    _______________________________________________
    TLS mailing list
    TLS@ietf.org
    https://www.ietf.org/mailman/listinfo/tls



_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls






















					Reply via email to