On Sat, 2014-10-11 at 18:17 +0000, Viktor Dukhovni wrote:
> On Sat, Oct 11, 2014 at 07:56:53PM +0200, Mark Elkins wrote:
>
> > > With certificate usage DANE-EE(3) there is no tie to one's preferred
> > > CA. The certificate content apart from the public key is effectively
> > > ignored anyway.
> >
> > I'm aware that DANE ignores Expiry dates and other data but the
> > Certificate may have embedded CA info (mine does) and if the HASH is for
> > the whole of the certificate - then using Selector=Cert(0) means that
> > there is an implied relationship with the embedded CA.... even if that
> > information is subsequently ignored.
>
> There is no security benefit in binding your service name to
> otherwise ignored data. Maybe this binding makes you feel like
> you wasted less money paying for the certificate? :-) And yet
> there is simply no threat that such a binding addresses that fails
> to be addressed with a binding to just the key.
>
> The "3 0 1" record offers no security benefit. It can fail needlessly
> in various situations, and does not support RFC 7250 raw public
> keys. Avoid it.
I submit.
--
Mark James ELKINS - Posix Systems - (South) Africa
mje@??? Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
