MUST include the trust anchor certificate with certificate usage DANE-TA(2)

MelindaShore / dnssec-serialization

Internet draft(s) proposing a standard for serialization and transport of dnssec/dane validation chains

0 stars 1 forks source link

MUST include the trust anchor certificate with certificate usage DANE-TA(2) #16

Open MelindaShore opened 9 years ago

MelindaShore commented 9 years ago

From Viktor:

"This draft should reiterate the requirement that with certificate usage DANE-TA(2), the server MUST include the trust-anchor certificate in its certificate message even if that trust-anchor is self-signed (root CAs are NOT optional with DANE-TA(2))."

shuque commented 9 years ago

This is discussed in the DANE-OPS document, and we can have a pointer to it. I'm not convinced that it needs to be discussed additionally in the text of this draft.