Re: [dane] DANE Client Authentication draft updated

James Cloos <> Tue, 12 January 2016 20:07 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 086481A882F for <>; Tue, 12 Jan 2016 12:07:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ljl5gAVlrxEd for <>; Tue, 12 Jan 2016 12:07:21 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 785B61A8823 for <>; Tue, 12 Jan 2016 12:07:20 -0800 (PST)
Received: by (Postfix, from userid 10) id BD79E1E541; Tue, 12 Jan 2016 20:07:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ore14; t=1452629239; bh=LuLysf+7SEaB67SSYX2CFOVwOmLA6bhlrnx5vq1+gv0=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=kxG7emiLACJWVrLqReYSkCoOSu3VmYAdizoOz+rNGWx8o+NUuZ3b7NvGv08YjaSAY qO+xa4DEkoXDDZSclV1EqQLLEOO2bPi3cp9UdBFzk8MPRmOeWnNWsxOJARndq1R024 qHPSAQjmc9D7cdWa4tY2so4u/8d+varpYlAe8nJM=
Received: by (Postfix, from userid 500) id 90CAF1003CD26; Tue, 12 Jan 2016 20:05:51 +0000 (UTC)
From: James Cloos <>
To: Shumon Huque <>
In-Reply-To: <> (Shumon Huque's message of "Tue, 12 Jan 2016 10:15:36 -0500")
References: <>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/25.1.50 (gnu/linux)
Copyright: Copyright 2015 James Cloos
OpenPGP: 0x997A9F17ED7DAEA6; url=
OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Date: Tue, 12 Jan 2016 15:05:51 -0500
Message-ID: <>
Lines: 19
MIME-Version: 1.0
Content-Type: text/plain
X-Hashcash: 1:28:160112:dane\\::NreWfb2pXJNtZMif:0BtsFH
Archived-At: <>
Cc: "<>" <>
Subject: Re: [dane] DANE Client Authentication draft updated
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Jan 2016 20:07:24 -0000

For draft-huque-dane-client-cert I'd still prefer RR names like:


for the cert provided by an smtp client which HELO/EHLOs as example.
And similarly for other protocols.  Rather than things like _smtp-client.

Putting all of the client TLSAs under a single label allows (but
obviously does not require) them to be in their own zone.

Than can be useful.

And in the case where the proposed tls extension is not used, it should
be OK for the name to be in CN, too.  So something like 'MUST be in
either dnsName or CN, but SHOULD be in the dnsName'.

James Cloos <>         OpenPGP: 0x997A9F17ED7DAEA6