Does a DANE certificate have the same "name" as a non-DANE certificate? If the
subjectAltNAME for a DANE-based certificate is the same as for non-DANE, then
yes the rules should apply. If not, no.
I cannot answer that question, and look to you experts to advise us.
Note that "validating the chain" is *not* part of 6125 nor 6125bis. Quoting
from the Applicability section:
This document addresses only name forms in the leaf "end entity" server
certificate. It does not address the name forms in the chain of certificates
used to validate a cetrificate, let alone creating or checking the validity
of such a chain. In order to ensure proper authentication, applications need
to verify the entire certification path as per {{PKIX}}.
Perhaps the last few words could or should be
Such as per {{PKIX}} or {{DANE}}.
But I don't know.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
