[ I'm splitting it into a few messages to keep it manageable, and
in any case some of my comments are still pencil marks on a
print-out, not yet transcribed. ]
This message covers 3.4 through the end of the document.
General comment (copied verbatim from abstract and introduction
feedback):
The draft frequently talks about "hostnames", where what is
really meant is a transport endpoint (port, transport protocol,
host). With PKIX-EE or DANE-EE certificate usages, TLSA records
are more precise than the Web PKI and can associate different,
non-interchangeable key material with distinct services on a
single host. So in many places I will be suggesting replacing
statements about "hostnames" with statements about "transport
endpoints".
3.4. Impact on TLS Usage
First bullet:
s/under 4/in 4/
Third bullet:
s/If the TLSA response is "bogus" or "indeterminate"/If the TLSA lookup
fails/
perhaps noting that a "secure" or "insecure" NXDOMAIN is not a failure (as
in DNS
error section of SMTP draft).
4.1. SRV records only
Second paragraph:
Also mention here that 6125 and reference identifiers don't apply
with DANE-EE(3) (some folks may not read as far as 4.2)
4.2 TLSA Records:
The SMTP and OPS drafts have "toned down" the degree to which the
content of DANE-EE(3) certs is ignored, specifically only the
hostname and expiration are superseded by DNSSEC. Other features
of the certificate (key usage, ...) may still be taken into account.
Material after section 4 is largely fine.
* Please update smtp-with-dane reference from -05 to -13.
* Should he XMPP example SRV record really be "_xmpp-client",
or instead "_xmpp-server"? Not familiar with XMPP, so please
pardon my confusion if that's what it is.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
