>>>>> "VD" == Viktor Dukhovni <[email protected]> writes:
VD> If the TLSA records don't include any [3-0-0 or 3-1-x], or are VD> mixed, the client must not negotiate "oob public key". That is a valid point, but if they are mixed, the clients can try, and if the offered key doesn't match the suitable tlsas, it can drop the connection and try again without specifying the extension. When properly configured, if the server's only current cert(s) is full, then the server should not agree to the tls extension. The need to drop and restart should be rare. -JimC P.S. Sorry for replying yesterday before I read your corretion re 3-0-0. -- James Cloos <[email protected]> OpenPGP: 0x997A9F17ED7DAEA6 _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
