On Fri, May 30, 2014 at 06:35:06PM -0700, Jim Schaad wrote:
> > I think there is an obvious format, that should be spelled out explicitly in
> > some suitable document. Namely the same format as for the SPKI of a leaf
> > certificate with any supported matching
> > type:
> >
> > ; Match SPKI of a certificate or just the bare public key
> > _25._tcp.mx1.example.com IN TLSA DANE-EE(3) SPKI(1) ? {blob}
> >
> [JLS] That may be one obvious format. I think that an even better format
> would be to define a new TLSA certificate type so that the client will know
> that an OOB bare key is what is coming. Thus
>
> ; Match SPKI of a certificate or just the bare public key
> _25._tcp.mx1.example.com IN TLSA DANE-BARE-KEY(4) SPKI(1) ? {blob}
This I think adds no value over DANE-EE(3) and needlessly makes
server operators publish two records where one will do.
It should be possible for clients to offer the new TLS extention
when it is compatible with the server's TLSA RRs and to authenticate
the server either based on a full X.509 cert or a bare SPKI.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
