On Tue, Oct 9, 2012 at 3:39 AM, John Gilmore <[email protected]> wrote: >> Well, my point is that they transfer exactly the same data. 0 transfers >> an end-entity certificate and so does 2. They differ, as you say, on >> what the receiving party does on that data. Why bother? How would a >> server operator ever know what the receiving party will do on the data? > This is a protocol. It defines what both parties do -- not just > one party. Two parties interoperate in a protocol when BOTH implement > it correctly.
Indeed, but DANE is not a verification protocol. It defines (or should define) a _part_ of a verification protocol. And this should be because DANE can be used in many more scenarios than the typical web browser HTTPS scenario which is implied all over the document. The "PKIX certification path validation" that is mentioned in the document happens (or not) in those browsers irrespective of DANE, so there is no point for DANE to mandate it. What DANE provides is an alternative method to this path verification. It can be used in addition to path verification or instead of it. The server operator shouldn't care or bother how each client would use it (eg. by specifying usage 1 or 3). He should only specify the key of its server. > The whole reason for the "duplication" in certificate usages is to > protect the business models of the CA operators. For 98% of web > sites, there is no real need for usage 0 or 1 or 2. Ok thanks for providing some context. The reason of the bloat in the usage field is now apparent. best regards, Nikos _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
