On Sat, Mar 02, 2013 at 04:01:22AM +0000, Viktor Dukhovni wrote: > On Fri, Mar 01, 2013 at 06:28:05PM -0500, James Cloos wrote: > > However, I do believe that the same (subject name checking) policy > should apply for both certificate usage "3" and "1".
I think you are mixing up usages 1 and 2 or something. My reading of RFC 6698: Usage 0: Validate up but excluding RP trust anchor[1]. Usage 1: Validate up but excluding RP trust anchor[1]. Usage 2: Validate up but excluding DANE trust anchor. Usage 3: Validate none.[2] [1] If DANE pinned certificate is below RP trust anchor, DANE checks can't pass (can't happen for usage 1 anyway, since nothing is below EE). [2] This is actually a special case of validate up but excluding DANE trust anchor. -Ilari _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
