I wasn't able to find anything in the archives addressing this, so apologies in advance if this has been discussed.
The draft statement that the record "need not change across certificate renewals with the same key" seems misleading. If anything in the certificate changes—and typically the expiration date will change if a certificate is regenerated using common tools, whether or not it is likely to be honored by a client—the certificate digest will change. Since presumably the TLSA record digest is of the entire certificate and not simply of the public key, as the authenticity of much of the metadata within the certificate is still of interest to clients, this means the digest in the TLSA record will change. It seems in fact that any renewal of the certificate producing anything other than a bit-identical output would necessitate a record change. Or what am I missing? Kyle
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
