Postfix DANE support for Certificate Usage = 0/1?
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Feb 23 23:31:32 CET 2015
On Mon, Feb 23, 2015 at 09:29:07PM +0000, Kevin San Diego wrote:
> I'm trying to get to speed on the DANE implementation in Postfix, it
> appears to support only DANE certificate usage 2 (Trust anchor assertion)
> and 3 (Domain-issued certificate). Is there a particular reason why the
> public CA-signed certificate types wouldn't be supported as these are more
> likely (as of today, at least) to be installed on business and commercial
> platforms?
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-3.1.3
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-3.1.1
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-3.1.2
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-1.3.2
> Extract from http://www.postfix.org/TLS_README.html#client_tls_dane:
> "The Postfix SMTP client supports only certificate usages "2" and "3"
> (with "1" treated as though it were "3"). See tls_dane_trust_anchor_digest_enable
> for usage "2" usability considerations. Support for certificate usage "1" is
> an experiment, it may be withdrawn in the future. Server operators SHOULD NOT
> publish TLSA records with usage "1"."
The support for usage "1" simply pretends that the server operator
published the right server certificate digest with the wrong usage
and treats "1" as though it were "3".
--
Viktor.
More information about the dane-users
mailing list