Viktor Dukhovni: > On Wed, May 22, 2013 at 11:13:42AM +0200, Christian Becker wrote: > >> what is the intended outcome validating a record TLSA 2 x x, where the >> specified trust anchor certificate was already revoked by a CA? Does >> PKIX certification path validation include revocation checks? > > With certificate usages "2" and "3" there is no PKIX validation > above the trust-anchor or EE certificate respectively. The party > publishing the TLSA RR is responsible for updating the TLSA record > when the certificate in question is no longer trustworthy. This > is properly a responsibility of the domain owner, I should add a note > about this to the next revision of the ops draft...
Thanks for your answer. I only supposed that there is or should be an answer on the protocol level as well to this situation where there might be conflicting information from PKIX validation and DANE. Christian _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
