Ian,
On 4. 9. 2013, at 6:13, Ian Fette (イアンフェッティ) <[email protected]> wrote: > I'm not sure that I agree with everything in that draft, particularly the bit > about not using certificate usage 0/1, as this is precisely what we would do > for Gmail most likely (we operate our own CA, and for instance in Chrome and > via You need certificate usage 2 for your own CA and the mapping 0->2, 1->3 (see sections 2.2.1.3 and 2.2.1.4) ensures that your DANE record with certificate usage 0 SHOULD be used even in case that you use a well established CA. > http://tools.ietf.org/html/draft-ietf-websec-key-pinning-08 we typically pin > google.com to a set of CA certificates, not leaf certificates, as the leaf > certificates can rotate more frequently based on operational needs but our CA > cert changes much more rarely.) It's not clear to me why requiring PKIX > validation in that case would be an unreasonable expectation. I guess this comes from operational experiences, currently the SMTP servers don't do any validation on the certificates and it would be a great leap to take, so it's better to start with opportunistic TLS than enforcing the users to do full PKIX. This might change in the future in some future draft, but Viktor's draft would be a huge leap for SMTP encryption. > Indeed, most of the certs I see from a random inspection of servers offering > STARTTLS (google, t-online, web.de etc) include a full certificate chain to a > public CA. Other than that nit though, I would love to see that draft advance. O. -- Ondřej Surý -- Chief Science Officer ------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:[email protected] http://nic.cz/ tel:+420.222745110 fax:+420.222745112 -------------------------------------------
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
