On Sat, Aug 22, 2015 at 05:33:20AM -0700, Alice Wonder wrote:
> >https://tools.ietf.org/html/draft-ietf-dane-ops-16#section-5.1
> >
> >More specifically, it is RECOMMENDED that at most sites TLSA records
> >published for DANE servers be "DANE-EE(3) SPKI(1) SHA2-256(1)"
> >records. Sel
On 08/22/2015 05:27 AM, Viktor Dukhovni wrote:
On Sat, Aug 22, 2015 at 05:24:03AM -0700, Alice Wonder wrote:
The certificate is a 1 0 1 and not a 3 0 1
It seems to suggest that I change the TLSA record to 3 0 1
Or even better a "3 1 1".
Why is hash of SubjectPublicKeyInfo preferred over
On Sat, Aug 22, 2015 at 05:24:03AM -0700, Alice Wonder wrote:
> >>The certificate is a 1 0 1 and not a 3 0 1
> >>
> >>It seems to suggest that I change the TLSA record to 3 0 1
> >
> >Or even better a "3 1 1".
>
> Why is hash of SubjectPublicKeyInfo preferred over hash of the actual
> certificate
On 08/22/2015 05:20 AM, Viktor Dukhovni wrote:
---
The certificate is a 1 0 1 and not a 3 0 1
It seems to suggest that I change the TLSA record to 3 0 1
Or even better a "3 1 1".
Why is hash of SubjectPublicKeyInfo preferred over hash of the actual
certificate?
On Fri, Aug 21, 2015 at 10:41:49PM -0700, Alice Wonder wrote:
> I received a rather weird e-mail, it seems to have been generated by an MTA
> because it was sent to the e-mail listed as the contact in my certificate,
> the e-mail listed in whois for my domain, and the postmaster e-mail.
Sorry my
I think I might have guessed the reasoning.
The IETF draft is rather long, hard for me to read it, I will try but I
lose concentration quickly, and I did not detect the reason within it.
I think however that maybe the issue has to do with DANE libraries.
If a 0 x x or a 1 x x record is used,
I received a rather weird e-mail, it seems to have been generated by an
MTA because it was sent to the e-mail listed as the contact in my
certificate, the e-mail listed in whois for my domain, and the
postmaster e-mail.
It claims:
---
Only certificate usages DANE-TA(2) and DANE-EE(3) are supp
