On Thu, May 29, 2014 at 01:05:17AM -0700, John Gilmore wrote:
> In reviewing the draft, I noticed that it doesn't ever describe how
> you store such a public key in a TLSA record.
I think there is an obvious format, that should be spelled out
explicitly in some suitable document. Namely the same format as
for the SPKI of a leaf certificate with any supported matching
type:
; Match SPKI of a certificate or just the bare public key
_25._tcp.mx1.example.com IN TLSA DANE-EE(3) SPKI(1) ? {blob}
DANE TLS clients that also support the new TLS oob public key
extension can include it in their client HELLO, provided every RR
in the TLSA RRset is a "3 1 X" RR (they must perform the DNS lookup
before client HELLO). If any of the RRs have a different usage,
then a full leaf certificate may be required, and the client MUST
NOT signal oob public key support (since the client would potentially
be unable to match a subset of the TLSA records, which may the
currently active configuration).
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
