On Sat, 2014-10-11 at 18:17 +0000, Viktor Dukhovni wrote: > On Sat, Oct 11, 2014 at 07:56:53PM +0200, Mark Elkins wrote: > > > > With certificate usage DANE-EE(3) there is no tie to one's preferred > > > CA. The certificate content apart from the public key is effectively > > > ignored anyway. > > > > I'm aware that DANE ignores Expiry dates and other data but the > > Certificate may have embedded CA info (mine does) and if the HASH is for > > the whole of the certificate - then using Selector=Cert(0) means that > > there is an implied relationship with the embedded CA.... even if that > > information is subsequently ignored. > > There is no security benefit in binding your service name to > otherwise ignored data. Maybe this binding makes you feel like > you wasted less money paying for the certificate? :-) And yet > there is simply no threat that such a binding addresses that fails > to be addressed with a binding to just the key. > > The "3 0 1" record offers no security benefit. It can fail needlessly > in various situations, and does not support RFC 7250 raw public > keys. Avoid it.
I submit. -- Mark James ELKINS - Posix Systems - (South) Africa [email protected] Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
smime.p7s
Description: S/MIME cryptographic signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
