On Sat, Apr 20, 2013, at 04:51 PM, Paul Hoffman wrote: > On Apr 19, 2013, at 10:25 PM, Viktor Dukhovni <[email protected]> > wrote: > > > Server: Via DNS: My TA digest is 12345 > > Server: Via TLS handshake: my certificate chain is A, B, C > > Client: Sees that none of A, B, or C have 12345 as their digest. > > Does not have any certificates in hand with digest 12345 > > (no presumption of this with certificate usage 2). > > Verification fails. > > > > Therefore: > > > > Observation: If server does not want the client to fail, include > > the TA cert in the chain A, B, C, D (assuming, for example, that > > D is the missing TA certificate that signed C). > > > > Yes. And there are probably other valuable operational considerations > that are not in RFC 6689 that you and others are discovering as well. > These should be captured in an RFC that updates RFC 6689. That way, > future developers and implementers can find them in a widely-distributed > and stable document series. > > If the WG wants to add this to the charter, I would be willing to be > editor again. However, I think that an actual implementer and/or operator > of DANE services would probably be a better editor (nudge, nudge Viktor).
We've not implemented or operated (yet) but we're all for Viktor sorry _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
