[Cryptech Tech] Some problems with the repo access
Jakob Schlyter
jakob at kirei.se
Sat Feb 15 19:29:26 UTC 2014
On 15 feb 2014, at 20:24, Rob Austein <sra at hactrn.net> wrote:
> Er, no, I really do think I mean usage 2, because this is my own CA.
I may just be confused. If you want to require the user to trust the CA outside DANE, you should use TLSA 0 x x (require BOTH classic PKIX CA and DANE).
If you do TLSA 2 0 0, only DANE w/ DNSSEC validation will be enough; there is no difference trust-wise compared to TLSA 3 x x - no path validation outside DANE will be performed, the TLS client will just match the DNS-published cert to the EE cert issuer, apply path validation (key usage et al) and be done with it.
jakob
More information about the Tech
mailing list