On 16 apr 2013, at 16:52, Viktor Dukhovni <[email protected]> wrote:
> Does either RFC 6698, or draft-ietf-dane-srv mandate (or it is too
> obvious to state in either standard) that:
>
> - Servers with "IN TLSA 2 x [12]" associations are obligated to include
> the full TA cert in their TLS "certificate_list".
I believe that is the case. RFC 6698 says: "The target certificate MUST pass
PKIX certification path validation, with any certificate matching the TLSA
record considered to be a trust anchor for this certification path validation."
It is not possible to do path validation without having the full trust anchor
certificate, thus the server needs to provide it in most cases. If it is not
provided, and the client does not have its own copy, validation will fail.
> - It is correct to read "IN TLSA 2 1 0" as validating chains "signed by"
> (not known whether issued by) the TA, when the TA cert itself is not
> available in the peer's chain. Or, per the previous question, is the
> TA cert is required, and the issue is moot.
Given that you need to do path validation, I believe the TA cert is required.
In the case of "IN TLSA 2 1 x" or "IN TLSA 2 0 {1,2}, the server has to provide
the certificate or the client has its own copy.
jakob
--
Jakob Schlyter
Kirei AB - www.kirei.se
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
