>>>>> "VD" == Viktor Dukhovni <[email protected]> writes:
VD> Suppose the only one that does is a "DANE-TA(2) Cert(0) SHA2-256(1)". VD> What then? The oob requesting client aborts. And, perhaps, tries again w/o oob. Or, if the client also groks oob-via-ldap, it uses the ldap info instead of the tlsa. I know (based on your posts) that you don't like that as a possible outcome. But for many it is not a big deal. The RFCs do not need to demand that everyone avoid every possible corner case. They instead should explain what occurs when the corners are met. It is not that we fail to understand the issue, we just don't mind the possibility that an oob attempt might fail, even where a non-oob wouldn't. If there are no tlsa records which could work, and if the client can only do oob via dane, then it should avoid oob for that connection. If it does not know how to extract an spki from a cert, and every tlsa which might be for the ee is full cert, then again it should avoid oob. But if any of the tlsa might be ok, there is nothing wrong with it trying oob, just in case it might work. -JimC -- James Cloos <[email protected]> OpenPGP: 0x997A9F17ED7DAEA6 _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
