On Mon, Apr 27, 2015 at 12:23:40AM +0100, Chris Monteiro wrote: > Right, so reading up on TLSA, I can see how the port, certificate and > certificate metadata are defined together and obviously I think this > is a great implementation to kill of CAs as we know them.
This is the DANE working group mailing list, I think this is off topic. > However, I don't see why the TLSA syntax must require the preferred > port AND the certificate hash as well. A systems administrator want to > only specify use of say 443/TLS whilst relying on the existing CA > system for certificate validation. Sure this is not where we want to > be long term, but allowing to implement partial TLSA features would > simplify things wouldn't it? The administrator can use DANE-TA(2) or PKIX-TA(0) (whichever is better applicable to the application protocol in question). And then need not publish the particular server certificate. > Therefore I believe my proposal is to allow a cut-down implementation > of TLSA for this purpose. No, you're just new to the issues, and have not thought them through yet. Take your time. You can follow-up on [email protected] if you like, that's a user forum, not an IETF WG list. -- Viktor. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
