Does a DANE certificate have the same "name" as a non-DANE certificate? If the
subjectAltNAME for a DANE-based certificate is the same as for non-DANE, then
yes the rules should apply. If not, no.
I cannot answer that question, and look to you experts to advise us.
Note that "validating the ch
On Mon, Jun 27, 2022 at 05:15:09PM +, Salz, Rich wrote:
> Does a DANE certificate have the same "name" as a non-DANE
> certificate?
Yes, the name is a DNS name, and for DANE certificate usages PKIX-TA(0),
PKIX-EE(1) and DANE-TA(2) the same logic applies to the EE certificate
as in PKIX with W
On 6/25/22 8:30 AM, Yaron Sheffer wrote:
Thank you Rich and Peter, some follow-ups below.
Yaron
On 6/25/22, 02:07, "Peter Saint-Andre" wrote:
> In the archive [1], Yaron's message continued as follows...
>
> ###
>
> * No definition is given for "FQDN" eve
On 6/25/22 6:20 PM, Peter Gutmann wrote:
Yaron Sheffer writes:
This revision addresses Ben's SecDir review, as well as several other
reviewers' comments. Thank you all!
It doesn't have anything about EtM as per the recent discussion though...
The conclusion of that discussion wasn't clear
Most items Yaron raised (thanks for the review!) are addressed in
https://github.com/richsalz/draft-ietf-uta-rfc6125bis/pull/50/files
>> * The DTLS reference should change to DTLS 1.3.
>> * See Appendix A of [VERIFY]
>> * The rules are brief - it's not clear from the te
On Mon, Jun 27, 2022 at 12:52:00PM -0600, Peter Saint-Andre wrote:
> > Yep, we can punt the definition but then we need to address all the special
> > cases.
>
> I would prefer to bring back the reference to RFC 1034.
A DNS FQDN is sequence of dot-separated labels each of whose wire forms
is a
On 6/24/22 5:07 PM, Peter Saint-Andre wrote:
* Which identifier types a client includes in its list of reference
identifiers, and their priority, is a matter of local policy - given
the situation today, can we have a normative recommendation for
clients to be strict in constructing their refer
On 6/25/22 2:43 PM, Viktor Dukhovni wrote:
On Sat, Jun 25, 2022 at 10:13:28PM +0300, Yaron Sheffer wrote:
My question was about identity validation, which is what 6125bis is
about. So it's a subset of your second option, "validation of
certificates". And yes, this boils to, are DANE-based EE ce
On 6/27/22 1:08 PM, Viktor Dukhovni wrote:
On Mon, Jun 27, 2022 at 12:52:00PM -0600, Peter Saint-Andre wrote:
Yep, we can punt the definition but then we need to address all the special
cases.
I would prefer to bring back the reference to RFC 1034.
A DNS FQDN is sequence of dot-separated l
On Mon, Jun 27, 2022 at 02:43:43PM -0600, Peter Saint-Andre wrote:
> On 6/27/22 1:08 PM, Viktor Dukhovni wrote:
> > On Mon, Jun 27, 2022 at 12:52:00PM -0600, Peter Saint-Andre wrote:
> >
> >>> Yep, we can punt the definition but then we need to address all the
> >>> special cases.
> >>
> >> I wo
On Mon, Jun 27, 2022 at 02:37:22PM -0600, Peter Saint-Andre wrote:
> > It does for the majority of the certificate usages, but in practice
> > today DANE is primarily used with SMTP, and predominantly with
> > DANE-EE(3) TLSA records, in which case identity questions are settleda
> > at the DNS la
On 6/27/22 4:13 PM, Viktor Dukhovni wrote:
On Mon, Jun 27, 2022 at 02:43:43PM -0600, Peter Saint-Andre wrote:
On 6/27/22 1:08 PM, Viktor Dukhovni wrote:
On Mon, Jun 27, 2022 at 12:52:00PM -0600, Peter Saint-Andre wrote:
Yep, we can punt the definition but then we need to address all the spec
On 6/27/22 4:27 PM, Viktor Dukhovni wrote:
On Mon, Jun 27, 2022 at 02:37:22PM -0600, Peter Saint-Andre wrote:
It does for the majority of the certificate usages, but in practice
today DANE is primarily used with SMTP, and predominantly with
DANE-EE(3) TLSA records, in which case identity questi
13 matches
Mail list logo
