Re: ca-constraint trust-anchor sha256 digests disabled

Sun, 15 Dec 2013 12:19:12 -0800 

* Viktor Dukhovni <postfix-users@postfix.org>:
> On Sun, Dec 15, 2013 at 06:49:20PM +0000, Viktor Dukhovni wrote:
> 
> > What certificate public key did you fingerprint?  Your root CA
> > certificate, or your server certificate?  Why did you specify usage 0?
> 
> It sure looks like your TLSA RR contains the public digest of your
> server certificate, and yet you specified "certificate usage 0",
> rather than "certificate usage 3" which is the correct usage in
> this case.  It would be helpful to know how you arrived at this
> choice.

Learing by copy & paste. I copied from yesterdays (?) thread on DANE and your
instruction:

    Well, you're unlikely to have working TLSA RRs for your SMTP service
    just by happenstance.  If you want to create a TLSA RRset for your
    SMTP server, run the attached "tlsagen" shell script as follows:

        $ tlsagen cert.pem $(uname -n) DANE-EE PKEY SHA2-256
        _25._tcp.mail.example.com IN TLSA 3 1 1 {hex string}


I did:

tlsagen mail.state-of-mind.de.pem mail.state-of-mind.de DANE-EE CERT SHA2-256
_25._tcp.mail.state-of-mind.de. IN TLSA 0 0 1 
4CCFD929E7C2646022AD1A80F66B29C2F37C14D95245C0624490B90074A014A7

Hmmm, looking at this DANE-EE seems to be the right option to specify usage
'3'. Could it be there's something wrong with your script?


> There is a draft in final stages of review that is supposed to
> assign less confusing (then the raw numbers) acronyms to the three
> DANE TLSA record parameters.  I've been voicing concerns that the

I've been following your efforts to clarify the wording on the list.

> proposed names do little to clarify the usages.  I've not garnered
> much support.

Yes, sadly.

p@rick



> My preferred names for the DANE usages that make them less confusing are:
> 
>       0 - SECURITY-THEATRE-0          (draft PKIX-TA)
>       1 - SECURITY-THEATRE-1          (draft PKIX-EE)
>       2 - Trusted-Issuer              (draft DANE-TA)
>       3 - Valid-Leaf                  (draft DANE-EE)
> 
> and for the selectors:
> 
>       1 - Certificate                 (draft Cert)
>       2 - Public-Key                  (draft SPKI)
> 
> Thus "3 1 1" would be:
> 
>     _25._tcp.mail.sys4.de. IN TLSA Valid-Leaf Public-Key SHA2-256 {data}
> 
> (draft: _25._tcp.mail.sys4.de. IN TLSA DANE-EE SPKI SHA2-256 {data})
> 
> -- 
>       Viktor.

-- 
[*] sys4 AG
 
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Reply via email to