On Sat, Oct 11, 2014 at 07:56:53PM +0200, Mark Elkins wrote:
> > With certificate usage DANE-EE(3) there is no tie to one's preferred
> > CA. The certificate content apart from the public key is effectively
> > ignored anyway.
>
> I'm aware that DANE ignores Expiry dates and other data but the
> Certificate may have embedded CA info (mine does) and if the HASH is for
> the whole of the certificate - then using Selector=Cert(0) means that
> there is an implied relationship with the embedded CA.... even if that
> information is subsequently ignored.
There is no security benefit in binding your service name to
otherwise ignored data. Maybe this binding makes you feel like
you wasted less money paying for the certificate? :-) And yet
there is simply no threat that such a binding addresses that fails
to be addressed with a binding to just the key.
The "3 0 1" record offers no security benefit. It can fail needlessly
in various situations, and does not support RFC 7250 raw public
keys. Avoid it.
--
Viktor.