On Sat, Aug 22, 2015 at 05:33:20AM -0700, Alice Wonder wrote:
> >https://tools.ietf.org/html/draft-ietf-dane-ops-16#section-5.1
> >
> > More specifically, it is RECOMMENDED that at most sites TLSA records
> > published for DANE servers be "DANE-EE(3) SPKI(1) SHA2-256(1)"
> > records. Selector SPKI(1) is chosen because it is compatible with
> > raw public keys ([RFC7250]) and the resulting TLSA record need not
> > change across certificate renewals with the same key. Matching type
> > SHA2-256(1) is chosen because all DANE implementations are required
> > to support SHA2-256.
> >
>
> Okay thanks, I'm now getting into in the practice of generating new private
> keys once a year anyway, just because there have been exploits in the past
> (e.g. heartbleed) that allowed private key compromise remotely. So ease of
> re-issue isn't an issue for me.
Well, if you really want to avoid exploits, then future support
for RFC7250 that sidesteps all the issues around X.509 certificate
parsing, and just has the server present its public key might be
a reason to prefer "3 1 1" in the future.
In the mean time, you can of course use "3 0 1", but there's no
real advantage to doing so.
--
Viktor.
