2012/10/23 Alexander Gurvitz <[email protected]> > Hello. > > http://tools.ietf.org/html/rfc6394#section-3.1 : > > >> Continuing to require PKIX validation also limits the degree to which >> DNS operators (as distinct from the holders of domains) can interfere >> with TLS authentication through this mechanism. As above, even if a >> DNS operator falsifies DANE records, it cannot masquerade as the >> target server unless it can also obtain a certificate for the target >> domain. > > > This seems like a mistake to me - DNS operator can always issue a > fraudulent usage 2/3 record, > and thus skip the CA validation. >
Remind that the section 3.1 just discusses the “CA Constraints” which refers to usage 0 TLSA record but not usage 2/3 TLSA records, which is discussed in other sections. So, the statement “even if a DNS operator falsifies DANE records, it cannot masquerade as the target server unless it can also obtain a certificate for the target domain” is correct. > > The only advantage I can see in usage 0/1, is that it allows CA-based > certificate revocation > in case of the private key compromise. > > Alexaner Gurvitz, > net-me.net > > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane > > -- Guangqing Deng
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
