Storing C509 certificates in DNS, using DANE: add new IANA consideration #104
Comments
|
The comment from mcr was: I think that Bob wants to store C509 certificates in DNS, using DANE. The stuff inside the RR is either an X.509 format certificate, or it may be a I think that Bob is asking if we should have a new Selector value for C509. |
|
Status: Göran and John to bring up in discussions with Robert Moskowitz to clarify |
|
Is this just a matter of a value for C509 in the TLSA Selectors registry? https://www.iana.org/assignments/dane-parameters/dane-parameters.xhtml#selectors |
|
@gselander Not quite. The quote from RFC 6698, section 2.1.1:
There are probably some interesting interactions between the formats, given that you can convert between them without changing the signature. This will require a sentence or two of clarifications on how to interpret the above quote, I guess. Maybe even referencing RFC 6698 as being updated by this draft to lessen the restriction? |
|
Could we propose this draft to update the registry to allow C509? |
DNS could be used to store C509 certificates, using DANE:
The DANE RR (TLSA) has four semantics for the "Certificate Usage Field", see section 2.1.1 of RFC6698, https://www.rfc-editor.org/rfc/rfc6698
To include C509 as an accepted format, a new selector value should be added, as an IANA consideration in the current draft.
See also "[COSE] Comments about draft-ietf-cose-cbor-encoded-cert" from 2022-11-08
The text was updated successfully, but these errors were encountered: