For draft-huque-dane-client-cert I'd still prefer RR names like: _smtp._client.example
for the cert provided by an smtp client which HELO/EHLOs as example. And similarly for other protocols. Rather than things like _smtp-client. Putting all of the client TLSAs under a single label allows (but obviously does not require) them to be in their own zone. Than can be useful. And in the case where the proposed tls extension is not used, it should be OK for the name to be in CN, too. So something like 'MUST be in either dnsName or CN, but SHOULD be in the dnsName'. -JimC -- James Cloos <[email protected]> OpenPGP: 0x997A9F17ED7DAEA6 _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
