Hello As of the checkbox I meant something like - [ ] Trust DANE w/o CAs [ ] Trust CAs w/o DANE I.e. globally, not per domain. I admit it's not very practical.
As for self-constrained cert, assume the private key is compromised. Now I tell my CA to revoke the certificate, and with DNSSEC I can't revoke and have to wait. If the certificate "constrains itself" to require a CA validation, having signed TLSA will not prevent me from revoking it. Actually now I see that this is also answers my own question why we need usages 0 and 1 - they allow CA-based revocation in case of the private key compromise. I wonder if it's the only scenario which benefits from usage 0/1 ? Actually what made me ask is the following statement in http://tools.ietf.org/html/rfc6394#section-3.1 > Continuing to require PKIX validation also limits the degree to which > DNS operators (as distinct from the holders of domains) can interfere > with TLS authentication through this mechanism. As above, even if a > DNS operator falsifies DANE records, it cannot masquerade as the > target server unless it can also obtain a certificate for the target > domain. I wonder how the fact that I created one record with use case 0, prevents my DNS operator from creating a false record with use case 2. Alex
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
