On Mon, Jun 27, 2022 at 05:15:09PM +0000, Salz, Rich wrote:
> Does a DANE certificate have the same "name" as a non-DANE
> certificate?
Yes, the name is a DNS name, and for DANE certificate usages PKIX-TA(0),
PKIX-EE(1) and DANE-TA(2) the same logic applies to the EE certificate
as in PKIX with WebPKI trust anchors.
> If the subjectAltNAME for a DANE-based certificate is the same as for
> non-DANE, then yes the rules should apply. If not, no.
Modulo cases (e.g. SMTP) where with DANE-EE(3) the presented identifiers
in the peer certificate may be entirely ignored.
> Note that "validating the chain" is *not* part of 6125 nor 6125bis.
> Quoting from the Applicability section: This document addresses only
> name forms in the leaf "end entity" server certificate. It does not
> address the name forms in the chain of certificates used to validate a
> cetrificate, let alone creating or checking the validity of such a
> chain. In order to ensure proper authentication, applications need to
> verify the entire certification path as per {{PKIX}}.
>
> Perhaps the last few words could or should be
> Such as per {{PKIX}} or {{DANE}}.
Sure, but I don't know that this needs to be stated explicitly,
applications that elect DANE are well aware that they're in part or in
whole deviating from PKIX. But if there's a concern that this text in
essence "forbids" DANE, the text could simply delete "as Per {{PKIX}}".
There may other certificate chain verification modes in the future.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
