On Tue, 14 Aug 2012, Tony Finch wrote:
In draft-fanf-dane-smtp and draft-fanf-dane-mua I said that clients must check that the name in the certificate matches the server host name.
Prepare for a lot of non-FQDN CN's such as "Exchange" to cause failures. I agree that both skipping the name check and using a TLSA type based on a CA is dangerous and should not be done. (and I also believe you should only be using some intermediary CA that you control if you put the CA in a TLSA record. Reducing the strength of your TLSA to the weakest customer of a certain CA indeed seems dangerous, and we should probably have talked about that in 6698. Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
