Open buffrr opened 3 years ago
RFC7671 also says that DANE-TA(2) and DANE-EE(3) certificate usages are RECOMMENDED.
https://datatracker.ietf.org/doc/html/rfc7671#section-4
Designs in which clients support just the DANE-TA(2) and DANE-EE(3) certificate usages are RECOMMENDED. With DANE-TA(2) and DANE-EE(3), clients don't need to track a large changing list of X.509 TAs in order to successfully authenticate servers whose certificates are issued by a CA that is brand new or not widely trusted.
While PKIX certificate usages are optional, for complete DANE implementation we should support DANE-TA(2). This is useful if server administrators that would like to pin self-signed CA instead of pinning an individual end entity certificate for each service.
From RFC7671