On Thu, 2 Apr 2015, Paul Wouters wrote:
Right, and:
for email signing):
- must have the Digital Signature or Non-Repudiation OID?s as a Key Usage.
(for email encryption):
- must have the Key Agreement or Data Encipherment OID?s as a Key Usage.
So why add the dns complexity for _sign and _encrypt.
Additionally, using the DNS prefix leaks the intent of the user. The DNS
servers should not know whether or not a user is going to sign or
encrypt.
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
