Make sure that the TLSA record matches a certificate in the server's chain

MelindaShore / dnssec-serialization

Internet draft(s) proposing a standard for serialization and transport of dnssec/dane validation chains

0 stars 1 forks source link

Make sure that the TLSA record matches a certificate in the server's chain #15

Open MelindaShore opened 9 years ago

MelindaShore commented 9 years ago

From Viktor:

"Great care must be taken (with Certificate usages other than DANE-EE(3)) to ensure that the TLSA record matches a certificate that is actually part of the server's chain and not just some random unrelated certificate that happens to be present in the server certificate message. Many implementors fail to check this."

shuque commented 9 years ago

While true, I'm inclined to say that the DANE certificate verification details should be discussed (and are already are discussed) elsewhere, like the DANE OPS doc (in IESG review) that Viktor is an author of. If needed, we could add a pointer to that document.