On Thu, Jan 16, 2014 at 12:35:49PM -0500, Stephen Nightingale wrote:
> Granted the cert even for Cert Use DANE-EE(3) must be well-formed in
> order to see what's in it.
>
> But I believe Victor's main point is that the only field *value*
> that matters for DANE-EE(3) is the Public Key. Issuer, Common Name
> and SubjectAltName are just deckchairs.
Correct, the point is that DANE verification makes no use of these values,
if however underlying libraries are likely to object, certificates like
this should perhaps be avoided. Note however, that this means that a
certificate with an empty subject DN can never be self-signed.
I'll strive to avoid publishing examples that are likely to fail
interoperability tests. For what it is worth, OpenSSL does not
mind empty subject and issuer DNs even without a SAN extension, if
the application layer does not object. The DANE verification code
I wrote on top of OpenSSL likewise does not object with usage
DANE-EE(3).
So my instructions to users will have to suggest something like:
openssl req ... -subj "/CN=?"
for self signed certificates that are intended solely for DANE-EE(3) use.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
