Re: [dane] "Name Checks are not appropriate for CU=3"

Viktor Dukhovni <viktor1dane@dukhovni.org> Sat, 18 January 2014 03:21 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BF651AD83F for <dane@ietfa.amsl.com>; Fri, 17 Jan 2014 19:21:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H3km93OADg0G for <dane@ietfa.amsl.com>; Fri, 17 Jan 2014 19:21:32 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 7FB9B1AD791 for <dane@ietf.org>; Fri, 17 Jan 2014 19:21:32 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 5D1CD2AB21F; Sat, 18 Jan 2014 03:21:18 +0000 (UTC)
Date: Sat, 18 Jan 2014 03:21:18 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140118032118.GE2317@mournblade.imrryr.org>
References: <20140117225019.5E33E1ABB3@ld9781.wdf.sap.corp> <20140118001425.65FBF1ABB3@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20140118001425.65FBF1ABB3@ld9781.wdf.sap.corp>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] "Name Checks are not appropriate for CU=3"
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jan 2014 03:21:35 -0000

On Sat, Jan 18, 2014 at 01:14:25AM +0100, Martin Rex wrote:

> Ooops, typo, I meant (notbefore>notafter) is bogus:

My example is not intended to suggest best-practice server certificate
settings, rather it is intended to emphasize DANE client requirements.
Servers should not push their luck, but, with usage DANE-EE(3),
clients should to the extent possible accept any certificate that
matches the TLSA record, regardless of certificate details.

Sometimes extreme settings that are not recommended in practice
can best serve to make a point.  So I don't disagree with you in
fact.  The certificate I posted makes my answer to original question
in this thread as clear as possible.

-- 
	Viktor.