On Tue, Mar 26, 2013 at 12:52:36PM +0100, Jakob Schlyter wrote:
> On 26 mar 2013, at 09:22, Viktor Dukhovni <[email protected]> wrote:
>
> > Now if that's a requirement, then "2 1 0" use-case is simply a waste
> > of bits in DNS, we get the same result via "2 1 1", since both
> > match the same element of the chain, but 2 1 1 is substantially
> > more compact.
>
> I agree "2 1 0" is a waste of bits - "2 x {1,2}" makes a lot more sense".
What about the larger issue, how can I use "2 x 1" or "2 x 2" if
the TA certificate is not required in the peer's chain? Or is it?
How can I use "2 1 0" (waste of bits and all) if I must check
"issued" rather than "signed"? Is the group tired of my questions?
I need to converge on a viable implementation profile and some
guidance is essential at this point.
The problem isnt't how to write the code, that's easy. The problem
is choosing appropriate TLSA RR semantics. I don't know when it
is safe to commit to verification of the peer's chain if I can't
predict its required contents. What requirements on the peer's
"certificate_list" are implied by publishing a trust anchor TLSA
RR with "2" (and ideally also "0") as the certificate usage?
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
