With certificate usage 0/2, if the server certificate from the TLS
handshake is in fact the trust anchor itself, rather than something
else signed (perhaps indirectly) via the trust anchor, is that OK?
Should a DANE client accept the chain? Should it still apply name
checks? I wasn't able to divine an answer from RFC 5280 (PKIX).
At the moment, I am not treating depth zero specially, so a trust
achor's own certificate is accepted and in that case required to
match the MX domain or validated MX hostname.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
