[Cryptech Tech] Some problems with the repo access

Jakob Schlyter jakob at kirei.se
Sat Feb 15 19:29:26 UTC 2014


On 15 feb 2014, at 20:24, Rob Austein <sra at hactrn.net> wrote:

> Er, no, I really do think I mean usage 2, because this is my own CA.

I may just be confused. If you want to require the user to trust the CA outside DANE, you should use TLSA 0 x x (require BOTH classic PKIX CA and DANE).

If you do TLSA 2 0 0, only DANE w/ DNSSEC validation will be enough; there is no difference trust-wise compared to TLSA 3 x x - no path validation outside DANE will be performed, the TLS client will just match the DNS-published cert to the EE cert issuer, apply path validation (key usage et al) and be done with it.


	jakob




More information about the Tech mailing list