On Mon, Apr 06, 2015 at 08:46:18AM -0400, Doug Montgomery wrote:
> Part of the issue here is that we have large enterprise identity management
> systems that issue credentials for security functions, but independent of
> application. So while the EKU bits say that a CERT is useful for
> encryption, it does not say if that is for file encryption, disk
> encryption, or email encryption.
Public keys in the form of certificates can be obtained by MUAs
from a variety of sources. For example, they may be obtained and
cached from a signed email. If the key usa supports encryption,
the MUA may attempt to encrypt email replies to the sender.
It seems odd to communicate the requisite key usage information
via DANE records but fail to communicate it via other channels.
So I would suggest that the usage bits be in the certificate,
regardless of transport.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
