On Sep 25, 2012, at 8:00 AM, Ben Laurie <[email protected]> wrote: > On 25 September 2012 15:44, Henry Story <[email protected]> wrote: >> What I don't understand yet looking at draft-hoffman-dane-smime, is what >> key is going to be placed in DNS. Is it the signing key? The key that will >> sign the certificates? If so that could indeed be worthwhile putting in DNS. >> ( Though one could just as easily put that in http space ). If it is to put >> the client certificates themselves in DNS, then that seems much less of a >> good idea. > > Its pretty clear it could be either of those, though I have to say the > I-D doesn't really work properly in this respect.
Can you say more? I'm not seeing why the signing or encrypting key would be different, but I could be missing something obvious. > It inherits the Certificate Usage field from 6698 - but 6698 > references TLS and TLS servers and things like that. I fear the I-D > really needs to redefine the usages in an S/MIME context. Why? Nothing in RFC 6698 says that the certificate or bare-ish key are only for signing. In fact, signing/encrypting isn't mentioned at all. --Paul Hoffman _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
