On Sat, 2014-10-11 at 16:12 +0000, Viktor Dukhovni wrote: > On Sat, Oct 11, 2014 at 12:13:29PM +0200, Mark Elkins wrote:
Thanks for the details. I appreciate the education. > > I presume the motivation for using the Public-Key instead of the whole > > Certificate is either simplicity or less prone to bad key management? > Both. And this is more flexible, because it is compatible with > RFC 7250 raw public keys. That's not yet implemented in SSL > toolkits, but will be in the future. > > Could your reasoning be that the Public-Key would remain constant (for > > the same CSR) regardless of whether the Certificate is self-signed or > > signed (or resigned) by a CA? > Correct. Any certificate for the same public key (and correspoding > private key known only to the server) matches. > > ... or in other words - Certificate > > rollover will not break a TLSA using just the Public-Key? > Yes. > > But wouldn't that then break the tie to one's preferred CA? > With certificate usage DANE-EE(3) there is no tie to one's preferred > CA. The certificate content apart from the public key is effectively > ignored anyway. I'm aware that DANE ignores Expiry dates and other data but the Certificate may have embedded CA info (mine does) and if the HASH is for the whole of the certificate - then using Selector=Cert(0) means that there is an implied relationship with the embedded CA.... even if that information is subsequently ignored. The "Compatible with RFC 7250 raw public keys" could win me over though... -- Mark James ELKINS - Posix Systems - (South) Africa [email protected] Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
smime.p7s
Description: S/MIME cryptographic signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
