Nevermind further down the README reads
Support for certificate usage "1" is an experiment, it may be
withdrawn in the future. Server operators SHOULD NOT publish TLSA
records with usage "1".
So one part of the README says that 1 is treated as 3 and another part
says that may be withdrawn in the future.
Well I then I suppose I'll just code me zone signing script to do a sed
replace on tlsa records on port 25 so I don't have to remember it is
different.
But if it is the server that doesn't care about CA validation then it is
the server that should accomodate valid TLSA records and treat a 1 x x
as a 3 x x - in my not so humble opinion.
That way servers that do want to care can still have the option to care.
On 08/26/2015 07:32 PM, Alice Wonder wrote:
Ever since I got that automated e-mail telling me my
1 0 1 hash
LSA record was not usable, I have been confused, because that conformed
to the DANE / TLSA RFC.
I suggested that maybe SMTP servers, which are only doing hostname
validation and can't be expected to CA validate, should treat a 1 x x as
a 3 x x and was basically shot down for suggesting that.
But now reading the Postfix documention that seems to be exactly what it
suggests:
http://www.postfix.org/TLS_README.html#client_tls_dane
``TLSA records with usage "1" are instead treated as "trust assertions"
and mapped to usage "3". Specifically, with certificate usage "1",
Postfix will not require the remote SMTP server's certificate to be
trusted with respect to any locally defined public CAs''
That's what makes sense to me.
I have since changed my _25._tcp tlsa record to use
3 0 1 hash
But now reading the postfix documentation it seems that isn't necessary.
Is it necessary or isn't?
And please don't suggest I leave for a month, I am just trying to
understand.
I like things KISS and DANE seems to no longer be KISS with TLSA record
specification varying dependent upon the port.
And now it seems the Postfix docs are in contrast with the draft.
Thank you to anyone who can help me understand what is really going on.
