Viktor Dukhovni wrote: > > Well, the UKS issue is rather narrowly applicable to special TLS > applications in which cross-origin concerns apply. That's > basically just browsers, and browsers are not doing DANE, and > certainly not DANE-EE(3).
I believe your concept is much to narrow. The issue affects *EVERY* TLS client that will in at least one usage scenario perform rfc2818 section 3.1 endpoint identification for a TLS server certificate issued from a public CA. Every such client, when adopting an alternative TLS server certificate validation through DANE, probably ought to check the end-entity certificate for appearance of the Certificate Policy with the OID 2.23.140.1.2.2 and for any TLS server certificate that carries this OID, enforce the rfc2818 section 3.1 endpoint identification for the hostname, no matter what kind of TLSA record/usage exists for that server. -Martin _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
