On Sun, Dec 15, 2013 at 06:49:20PM +0000, Viktor Dukhovni wrote:
> What certificate public key did you fingerprint? Your root CA
> certificate, or your server certificate? Why did you specify usage 0?
It sure looks like your TLSA RR contains the public digest of your
server certificate, and yet you specified "certificate usage 0",
rather than "certificate usage 3" which is the correct usage in
this case. It would be helpful to know how you arrived at this
choice.
There is a draft in final stages of review that is supposed to
assign less confusing (then the raw numbers) acronyms to the three
DANE TLSA record parameters. I've been voicing concerns that the
proposed names do little to clarify the usages. I've not garnered
much support.
My preferred names for the DANE usages that make them less confusing are:
0 - SECURITY-THEATRE-0 (draft PKIX-TA)
1 - SECURITY-THEATRE-1 (draft PKIX-EE)
2 - Trusted-Issuer (draft DANE-TA)
3 - Valid-Leaf (draft DANE-EE)
and for the selectors:
1 - Certificate (draft Cert)
2 - Public-Key (draft SPKI)
Thus "3 1 1" would be:
_25._tcp.mail.sys4.de. IN TLSA Valid-Leaf Public-Key SHA2-256 {data}
(draft: _25._tcp.mail.sys4.de. IN TLSA DANE-EE SPKI SHA2-256 {data})
--
Viktor.
