On Sat, Jan 18, 2014 at 01:14:25AM +0100, Martin Rex wrote:
> Ooops, typo, I meant (notbefore>notafter) is bogus:
My example is not intended to suggest best-practice server certificate
settings, rather it is intended to emphasize DANE client requirements.
Servers should not push their luck, but, with usage DANE-EE(3),
clients should to the extent possible accept any certificate that
matches the TLSA record, regardless of certificate details.
Sometimes extreme settings that are not recommended in practice
can best serve to make a point. So I don't disagree with you in
fact. The certificate I posted makes my answer to original question
in this thread as clear as possible.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
