Viktor Dukhovni wrote: > > Having read RFC 6698 multiple times recently, I would like to ask > for clarification of the semantics of Certificate usage "3", aka > "Domain-issued certificate". > > https://tools.ietf.org/html/rfc6698#section-2.1.1 > > Given an explicit binding in the DNS for a specified service end-point > to a unique certificate (in full or by subject-publickey-info), it would > seem rather unnatural to apply subject name checks to the certificate so > bound. The binding in the DNS should ideally obviate any need for similar > (potentially conflicting) bindings inside the certificate. > > Thus my reading of 6698 is that usage 3 (and 1) obviate any > requirement for name validation, which should only apply with > certificate usage 2 and 0.
I would actually very dislike such an interpretation, and require the name validation for *ALL* variants of X.509 certificates. For usage DNS usage (1) it would actively subvert the name binding that the public CA (from the Web Browser X.509 PKI) placed into the certificate. What about other cert attributes in DANE usage (1) (such as BasicConstraints, KeyUsage, ExtendedKeyUsage, NameConstraints, Certificate Policies, PolicyConstraints and Validity)? The end users, some of which sometimes actually look at the attributes of X.509 certs, would get totally confused by such weird rules. For Usage (3) it should be trivial for the server admin to provide a correct server cert where the name matching succeeds, without confusing any users that may occasionally look at the server cert. -Martin _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
