On Fri, May 30, 2014 at 02:28:33PM -0400, Paul Wouters wrote:
> On Fri, 30 May 2014, Viktor Dukhovni wrote:
>
> >Would it be a problem if this got covered consistently in multiple
> >documents? From the perspective of an implementor it would be
> >helpful to see this covered in which-ever document I happened to
> >be reading when adding bare public key support.
>
> The bare public key document could refer to an ERRATA for 6698 that
> states an ASN.1 SPKI structure is to be considered a "PKIX certificate"
> in the context of TLSA certificate usage selectors?
Two problems with that:
* The ERRATUM will likely be rejected, because the restriction was
intentional.
* This is the obvious part of how to use "oob public key" with
DANE, and need hardly be explained. The non-obvious part is the
need to only signal "oob public key" support in the client
when server's TLSA RRs contain *only* "DANE-EE(3) SPKI(1) ?"
records. I'll leave to the authors of that draft to decide
whether that should be explained in their draft, or in a
suitable separate DANE WG document.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
