On Fri, Jul 13, 2018 at 03:15:57PM +0200, Dennis Baaten wrote:
In your presentation named "Real World DANE Inter-domain email transport" (https://static.ptbl.co/static/attachments/169319/1520904692.pdf) you describe two approaches to handle a certificate change from a DANE perspective: "current + next", and "current + issuer CA". In the given example you use a "1" (certificate public key) for the TLSA parameter "selector". I'm wondering whether this example is meant to imply that selector type "1" is preferred over selector type "0" (full certificate)?
Yes, "1" is preferred for public CAs, where you don't control the timing of issuer certificate renewals, and typically (e.g. Let's Encrypt) the CA continues to use the same key, with a newly issued certificate.
In my opinion the selector type should not matter, making a "311 + 211" just as good as a "301 + 211". Would you agree?
As for DANE-EE(3), "3 1 1" is also preferred, though if you always change keys when renewing the certificate, then it indeed it does not matter very much.