On 9 November 2015 at 19:42, James Cloos <[email protected]> wrote: > >>>>> "DC" == Dave Cridland <[email protected]> writes: > > DC> No, that's not true. That's only true if the TLSA records provide a > DC> specific EE cert; that is, Certificate Usage 3. All other cases involve > DC> path validation and name checks. > > Even with types 0, 1 or 2, the point is that the machine name is always > used rather than any service name, so it only needs a single cert and > therefore sni doesn't do anything. > > No. The reference identifier is *always* the service domain name and only includes the hostname if there is secure delegation. See RFC 7673 ยง4.1:
https://tools.ietf.org/html/rfc7673#section-4 > Obviously sni is still needed in the short-term until dnssec is more > widely usable, but I was specific that I was writing about dane's long > term goal in the mx/srv case. > > And you seem to be mistaken. > -JimC > -- > James Cloos <[email protected]> OpenPGP: 0x997A9F17ED7DAEA6 > > > >
