Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sure that the TLSA record matches a certificate in the server's chain #15

Open
MelindaShore opened this issue Jul 1, 2015 · 1 comment
Open

Make sure that the TLSA record matches a certificate in the server's chain #15

MelindaShore opened this issue Jul 1, 2015 · 1 comment

Comments

@MelindaShore
Copy link
Owner

From Viktor:

"Great care must be taken (with Certificate usages other than
DANE-EE(3)) to ensure that the TLSA record matches a certificate
that is actually part of the server's chain and not just some random
unrelated certificate that happens to be present in the server
certificate message. Many implementors fail to check this."
@shuque
Copy link
Collaborator

shuque commented Jul 6, 2015

While true, I'm inclined to say that the DANE certificate verification details should be discussed (and are already are discussed) elsewhere, like the DANE OPS doc (in IESG review) that Viktor is an author of. If needed, we could add a pointer to that document.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shuque @MelindaShore