On Thu, Mar 21, 2013 at 07:28:42PM +0000, Viktor Dukhovni wrote:
> > So I can't see any reason to reject this certificate, even being
> > spec-pedantic.
> >
> > Does that help?
>
> Yes, thanks, I think I can largely go with what I have, what remains
> to verify is the first part of the side question from my original post:
>
> [ I guess I should also ask whether the expiration dates of
> non-degenerate TA certificates matter with "IN TLSA 2 x y"
> resource records. At the moment I don't accept expired TA certs. ]
In the end, the implementation of "IN TLSA 2 1 0" and "IN TLSA 3 1 0"
leads me to treat TAs per PKIX/ITU as just public keys, and thus I
no longer check expiration dates in TA certs.
I had to put in a snippet of extra code to support zero-length "IN
TLSA 2 1 0" chains, which are somewhat easier to reject than to
accept, but the primary requirement for SMTP security is to not
fail whenever success is an option, so "IN TLSA 2 0 0" will also
be supported at depth 0, provided the server's certificate is
self-signed.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
