On Tue, May 12, 2015 at 08:46:54AM -0400, Kyle Rose wrote:
> The draft statement that the record "need not change across certificate
> renewals with the same key" seems misleading.
This is taken out of context. The full text in Section 5.1 of
draft-ietf-dane-ops is:
TLSA records published fo
On Tue, 12 May 2015, Kyle Rose wrote:
If the DANE-EE entry has a SubjectPublicKeyInfo hash, then the metadata within
the certificate can be trusted only if the certificate signature is validated
against a trust anchor: a self-signed certificate is
sufficient (and probably ideal) here, since th
If the DANE-EE entry has a SubjectPublicKeyInfo hash, then the metadata
within the certificate can be trusted only if the certificate signature is
validated against a trust anchor: a self-signed certificate is sufficient
(and probably ideal) here, since the client has already trusted the public
key
On Tue, 12 May 2015, Kyle Rose wrote:
The draft statement that the record "need not change across certificate renewals
with the same key" seems misleading. If
anything in the certificate changes—and typically the expiration date will
change if a certificate is regenerated using
common tools, w
I wasn't able to find anything in the archives addressing this, so
apologies in advance if this has been discussed.
The draft statement that the record "need not change across certificate
renewals with the same key" seems misleading. If anything in the
certificate changes—and typically the expirat
