On 11/7/2013 7:05 AM, Bry8 Star wrote:
>If you do not have domain owner's (TLSA "Usage" case 2's or 3's)
TLS/SSL cert or cert-chain file,
>then will not your test-result always fail for those TWO "Usage"
cases ?
For usage 2, Yes. That's probably why Viktor and Wes wrote in section
3.9.2 of their BCP document that TLSA RR 2 publishers must ensure their
servers are configured to serve the trust anchor cert as part of a full
cert chain, when TLS handshaking. I'm thinking to add annotations to
that effect in the test site.
Usage 3 specifically does not require PKIX validation, so the root cert
non-availability is moot.
If DANE comes to be widely deployed and trusted, backed by effective
DNSSEC, then it seems likely that Usage 3 will come to be the default
mode of operation, as either 301 or 302, for brevity.
Perhaps I should repeat parts of the BCP in the respective test cases.
Stephen.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
