>>>>> "VD" == Viktor Dukhovni <[email protected]> writes:
VD> I take it you read the phrase "with any certificate matching the VD> TLSA record... " to mean that such a certificate must come from the VD> server in the server SSL HELO. Yes, but I should have written something more like "in the HELO or in the client's trust store"; any case where a type 0 can work also should work with a type 2 pointing at the same cert. VD> If I squint hard enough, I can read it the same way, but I could VD> also suppose that the PKIX validation path in question was in part VD> constructed by the verifier, and so no explicit requirement for the VD> server to provide the certificate. I did forget the other day, as I wrote above, the case where the type 2 points at a cert in the client's store. Since you wrote that, after all, you wrote the code to handle the type 2 case where the cert isn't in the local store or in the HELO, I have to say "working code beats word lawyering". I think it would have been OK to skip the extra code for those possibil- ities, using the language in the RFC as an excuse. But since you wrote it anyway, use it. -JimC -- James Cloos <[email protected]> OpenPGP: 1024D/ED7DAEA6 _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
