On Tue, Mar 05, 2013 at 08:23:33PM +0000, Viktor Dukhovni wrote:
> I would like to suggest that the substance of TLSA being an additional
> check in 0/1 is completely retained when name checks are optimized
> out with 1 (as with compiler optimization of constant expressions),
> since the name checks would always succeed if made for domains
> that want this.
I think the above the best and final argument. The domain owner
can perform all 1/3 name checks *statically* at the time at which
the TLSA record is generated. This frees the client from performing
the name checks *dynamically* since RRs whose FQDN is not compatible
(in the domain owner's eyes) with the EE certificate will never be
generated.
By specifying *static* (the domain owner does these when the TLSA
record is generated) rather than *dynamic* name checks the DANE WG
can enable new use-cases where the domain owner is free to associate
an EE certificate with a new FQDN not originally included among
the signed names in that certificate.
I can help draft suitable revised language for section 4 of 6698
and/or an accompanying rationale, example use-cases, ...
The only thing I can't do unfortunately is travel to IETF meetings,
for lack of free time and sponsorship funds.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
