On Apr 16, 2013, at 2:00 PM, Jakob Schlyter <[email protected]> wrote: > On 16 apr 2013, at 16:52, Viktor Dukhovni <[email protected]> wrote: > >> Does either RFC 6698, or draft-ietf-dane-srv mandate (or it is too >> obvious to state in either standard) that: >> >> - Servers with "IN TLSA 2 x [12]" associations are obligated to include >> the full TA cert in their TLS "certificate_list". > > I believe that is the case.
And your co-author strongly disagrees. > RFC 6698 says: "The target certificate MUST pass PKIX certification path > validation, with any certificate matching the TLSA record considered to be a > trust anchor for this certification path validation." Yes. > It is not possible to do path validation without having the full trust anchor > certificate, Errr, why not? If the client has a certificate that says "the public key of the trust anchor that signed me is keyX", and you get keyX from TLSA, why do you need a full trust anchor certificate? > thus the server needs to provide it in most cases. If it is not provided, and > the client does not have its own copy, validation will fail. Didn't the client just get it from TLSA? What am I missing here? --Paul Hoffman _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
