Peter Saint-Andre <[email protected]> wrote: > >> What is the point of omitting the name check in this case? > >> Alternatively, what is the point of including the name check in > >> the other DANE cases? My drafts say that name checks should > >> still be performed in the usual way, the idea being that DANE > >> leads to additional verification code paths rather than > >> completely distinct code paths. > >> > > > > My thinking was, if we got to this point, then the name in the > > certificate was no longer material. The delegation by the source > > domain to the derived domain was already proved, and this check > > simply added a technicality to fail on. > > Agreed.
Yes this is a valid argument and I agree. However I also think consistency is important. Why would some TLSA usages require name matches and others not? Why disable a check done by existing code rather than just adding checks? Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Thames, Dover, Wight, Portland: Southwest 7 to severe gale 9, decreasing 6 later in Wight and Portland. Rough or very rough. Squally showers. Moderate or good. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
