On Tue, Dec 16, 2014 at 03:02:22PM +0100, Hubert Kario wrote:
> > DANE TLSA PKIX-TA(0) records can designate the digest of a trust
> > anchor selected by the server operator. When TLS server transmits
> > a corresponding certificate chain it may not be safe to replace
> > that chain with a shorter chain, because the shorter chain may not
> > employ the designated trust anchor, causing DANE TLSA checks to
> > fail.
>
> But then why would you use the PKIX chain builder with system root store?
With certificate usage PKIX-TA(0) that's exactly what one is supposed
to do. You're confusing PKIX-TA(0) with DANE-TA(2).
> If you use DANE with CA digest, then the server needs to send all
> certificates, so you just need to validate the chain you have - you don't
> have
See above.
--
Viktor.
_______________________________________________
openssl-dev mailing list
[email protected]
https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
