On Sat, Aug 22, 2015 at 05:24:03AM -0700, Alice Wonder wrote: > >>The certificate is a 1 0 1 and not a 3 0 1 > >> > >>It seems to suggest that I change the TLSA record to 3 0 1 > > > >Or even better a "3 1 1". > > Why is hash of SubjectPublicKeyInfo preferred over hash of the actual > certificate?
https://tools.ietf.org/html/draft-ietf-dane-ops-16#section-5.1 More specifically, it is RECOMMENDED that at most sites TLSA records published for DANE servers be "DANE-EE(3) SPKI(1) SHA2-256(1)" records. Selector SPKI(1) is chosen because it is compatible with raw public keys ([RFC7250]) and the resulting TLSA record need not change across certificate renewals with the same key. Matching type SHA2-256(1) is chosen because all DANE implementations are required to support SHA2-256. -- Viktor.
