Hello,
If a correct TLSA record for a domain would mean
there is no warning to the user about : cannot verify certificate
I'm a bit concerned about the value 3 for "Certificate Usage" !
Because there (value is 3), I read :
"This certificate usage is
sometimes referred to as "domain-issued certificate" because it
allows for a domain name administrator to issue certificates for a
domain without involving a third-party CA."
So basically both the certificate (self signed)
and the TLSA record (in the DNS of the domain)
are under control of the owner of the domain name.
But since domain registration can be quite anonymous
doesn't this mean that anybody could, if support for TSLA is widespread,
create https websites that do not cause warning messages to users.
To me it seems that anybody could, kind of, produce his own identity card ?
It that is the case, it would only increase the need for HTTPS inspection
- "man-in-the-middle" -
in which case the certificate offered to the user will change
and no longer be "in line" with the TLSA record.
Is that interpretation of that value 3, and its consequences, correct ?
Or am I missing something terribly important ?
Kind regards,
Marc Lampo
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
