TLSA records for DANE can't have it all / 2020-09-22

Koos van den Hout

2020-09-22 TLSA records for DANE can't have it all 1 month ago
Yesterday I read about changes at LetsEncrypt that influence LetsEncrypt intermediate certificates and DANE and had a look at my own DANE record set up in december 2019.

I decided to change the 'usage' value to 1, meaning 'EE match validated by public CA' because it's linked to a known public CA, and the old value 3 meaning 'private EE' wasn't completely true because it's linked to a known public CA.

But I received a notification this morning, with:
Only certificate usages DANE-TA(2) and DANE-EE(3) are supported with SMTP.
With references to rfc 7672 section 3.1.1 and further which makes a valid point about CA validation in SMTP sessions.

So the validation chain is purely based on DNSSEC.
Tags: , ,
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated in 0.003552 seconds.