Re: [dane] "Name Checks are not appropriate for CU=3"
Viktor Dukhovni <viktor1dane@dukhovni.org> Sat, 18 January 2014 03:21 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BF651AD83F for <dane@ietfa.amsl.com>; Fri, 17 Jan 2014 19:21:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H3km93OADg0G for <dane@ietfa.amsl.com>; Fri, 17 Jan 2014 19:21:32 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 7FB9B1AD791 for <dane@ietf.org>; Fri, 17 Jan 2014 19:21:32 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 5D1CD2AB21F; Sat, 18 Jan 2014 03:21:18 +0000 (UTC)
Date: Sat, 18 Jan 2014 03:21:18 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140118032118.GE2317@mournblade.imrryr.org>
References: <20140117225019.5E33E1ABB3@ld9781.wdf.sap.corp> <20140118001425.65FBF1ABB3@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20140118001425.65FBF1ABB3@ld9781.wdf.sap.corp>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] "Name Checks are not appropriate for CU=3"
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jan 2014 03:21:35 -0000
On Sat, Jan 18, 2014 at 01:14:25AM +0100, Martin Rex wrote: > Ooops, typo, I meant (notbefore>notafter) is bogus: My example is not intended to suggest best-practice server certificate settings, rather it is intended to emphasize DANE client requirements. Servers should not push their luck, but, with usage DANE-EE(3), clients should to the extent possible accept any certificate that matches the TLSA record, regardless of certificate details. Sometimes extreme settings that are not recommended in practice can best serve to make a point. So I don't disagree with you in fact. The certificate I posted makes my answer to original question in this thread as clear as possible. -- Viktor.
- Re: [dane] "Name Checks are not appropriate for C… Viktor Dukhovni
- [dane] "Name Checks are not appropriate for CU=3" Stephen Nightingale
- Re: [dane] "Name Checks are not appropriate for C… Viktor Dukhovni
- Re: [dane] "Name Checks are not appropriate for C… Martin Rex
- Re: [dane] "Name Checks are not appropriate for C… Stephen Kent
- Re: [dane] "Name Checks are not appropriate for C… Stephen Nightingale
- Re: [dane] "Name Checks are not appropriate for C… Viktor Dukhovni
- Re: [dane] "Name Checks are not appropriate for C… Viktor Dukhovni
- Re: [dane] "Name Checks are not appropriate for C… Martin Rex
- Re: [dane] "Name Checks are not appropriate for C… Martin Rex
- Re: [dane] "Name Checks are not appropriate for C… Viktor Dukhovni
- Re: [dane] "Name Checks are not appropriate for C… Stephen Kent
- Re: [dane] "Name Checks are not appropriate for C… Stephen Kent