On Wed, 28 Jan 2026, Ted Lemon wrote:
But more
importantly, "encoded as a CBOR text string" is too vague to be interoperable.
See https://datatracker.ietf.org/doc/html/rfc8949#name-cbor-data-models
This doesn't address the point I raised at all. I get that there is a definition for
"CBOR text string"; the problem is that the text does not specify how to
generate the contents of that string.
Ok, so perhaps you mean something like "A CBOR text string containg a DNS
presentation format FQDN, using A-label
(punycode) as per RFC5890, without trailing dot" ?
Unfortunately I don't think there is a good RFC reference for this that is
specific to domain names and explicitly describes the presentation format for
domain names with non-ASCII or special characters in labels; the reference to
RFC1035 is the best I can do, and I think could be made to work. But not
describing this transformation at all seems like begging for interoperability
issues down the line.
I think that is RFC5890 ?
Section 9.18 adds a new TLSA selector type, but doesn't talk about the
implications of this addition. I think this has the potential to create a lot
of confusion, and should probably be discussed with subject matter experts
before moving forward with this document.
What makes you think so? The existing selectors are "full X509
certificate" and "SubjectPublicKeyInfo". This basically adds "full C509
certificate". (the draft now uses "C509 Certificate", but possible it
should match the name of the X509 version already there, so "full C509
certificate". The selector merely tells you what type the next blob is
formatted in.
Well, as I said, I'm not an expert here. The point of raising this as part of
the DNS directorate review is to call it to the attention of the DANE working
group and make sure that it has had (or gets!) review by actual experts. It
does seem weird to add this new TLSA selector type and not talk about the
implications of adding it. However, my main reason for bringing this up was the
hope that someone from the DANE working group could weigh in on the question.
If they think this is fine, I have no further objection.
Sure. As I said, I think it should say "full C509 certificate" to match
the "full X509 certificate", but I don't think anything else is
required.
Paul
_______________________________________________
COSE mailing list -- [email protected]
To unsubscribe send an email to [email protected]
