Some thoughts on this: A 3 0 0 tlsa will work as well as a 3 1 x. The client can pull the spki out on its own.
I find both possibilities, incorporation in the tla rfc or a new rfc from us equally accecptable methods of publication. As long as our input is reflected. It is not that *all* tlsas need to be limited just because the server supports the oob methods. Rather, *at least one* of the published tlsas must be usable (3-0-0 or 3-1-x and secure in this case) and match. Should a different kind of bare key show up, one which doesn't look like the spki blob expected by x-1-y tlsa (openssh keys would be interesting), we can publish an rfc defining matching type 2. But given: ,----< excerpt from draft-ietf-tls-oob-pubkey-11.txt > | namely, the SubjectPublicKeyInfo structure of a PKIX certificates | that carries the parameters necessary to describe the public key. `---- we do not need match 2 for this. -JimC -- James Cloos <[email protected]> OpenPGP: 0x997A9F17ED7DAEA6 _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
