On Thu, Aug 27, 2015 at 12:46:29PM -0700, Alice Wonder wrote:
> Maybe 0 and 1 for Certificate Usage field should be deprecated in DANE
> altogether, especially if there ever are plans to move away from Certificate
> Authorities in the future.
First win the user base, then win the standards war. It is unwise
to invest upfront the enourmous political cost of trying to
preemptively change the standard before substantial deployment of
DANE of whatever variety.
The time to invest precious energy into making such changes would
be once DANE-TA(2)/DANE-EE(3) are widely deployed with no discernible
or likely deployment of PKIX-TA(0)/PKIX-EE(1).
By all means avoid deploying TLSA records with usages 0/1. You
don't need them.
--
Viktor.
