>>>>> "VD" == Viktor Dukhovni <[email protected]> writes:
VD> This usage requires the presence of a given CA (root or intermediate) VD> in the chain, but does not promote that CA to a trust anchor (as VD> with usage 2). So perhaps the original PKIX-CA is in fact better. On a ship with multiple anchors, each /is/ still an anchor. Even if the crew does not trust one at a time to hold the ship in place. The type 0/1 tlsa are anchors, but the admin lacks trust in either technology on its own and requires both technologies verify. It also IMHO looks cleaner (perhaps also less confusing) to have one bit specify EE|TA and the other specify CERT|DANE. -JimC -- James Cloos <[email protected]> OpenPGP: 1024D/ED7DAEA6 _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
