On Tue, May 12, 2015 at 08:46:54AM -0400, Kyle Rose wrote:
> The draft statement that the record "need not change across certificate
> renewals with the same key" seems misleading.
This is taken out of context. The full text in Section 5.1 of
draft-ietf-dane-ops is:
TLSA records published for DANE servers SHOULD, as a best practice,
be "DANE-EE(3) SPKI(1) SHA2-256(1)" records. Since all DANE
implementations are required to support SHA2-256, this record type
works for all clients and need not change across certificate renewals
with the same key.
Thus the statement in question is specifically about "3 1 1" records,
which bind *only* the key and not the rest of the certificate.
> It seems in fact that any renewal of the certificate producing anything
> other than a bit-identical output would necessitate a record change.
>
> Or what am I missing?
With "3 1 1" the digest is a key digest, not a full certificate digest.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
