On Sep 13, 2011, at 3:54 AM, Richard L. Barnes wrote: > Hey Chris & Chris, > > This seems like a useful near-term approach, but also probably something that > might want to migrate to DANE over time. > > Is there any particular reason you're using key fingerprints instead of cert > fingerprints? It seems like the latter might be slightly easier to > implement, since you don't have to parse the cert.
I can think of two reasons. 1. Sometimes certificates are renewed periodically with the same public key. This is very common for sub-CAs and less so for EE certificates, but unless it has been compromised, or NIST recommends that you double your bit-length again, there's no reason not to use the same old public key and the new certificate 2. The spec talks about having a backup key pair kept offline. Although the spec says that you should have that key pair signed by a different CA, you can save money by not having it signed unless your "live" certificate has been lost or otherwise compromised. With the full automation you get with today's CAs, you can get a DV certificate in a matter of minutes. EV certificates take longer, but if you're the kind of organization that buys EV certificates, you might want a backup plan that includes a signed certificate. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
