On Mon, Feb 23, 2015 at 09:29:07PM +0000, Kevin San Diego wrote:
I'm trying to get to speed on the DANE implementation in Postfix, it appears to support only DANE certificate usage 2 (Trust anchor assertion) and 3 (Domain-issued certificate). Is there a particular reason why the public CA-signed certificate types wouldn't be supported as these are more likely (as of today, at least) to be installed on business and commercial platforms?
https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-3.1.3 https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-3.1.1 https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-3.1.2 https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-1.3.2
Extract from http://www.postfix.org/TLS_README.html#client_tls_dane:
"The Postfix SMTP client supports only certificate usages "2" and "3" (with "1" treated as though it were "3"). See tls_dane_trust_anchor_digest_enable for usage "2" usability considerations. Support for certificate usage "1" is an experiment, it may be withdrawn in the future. Server operators SHOULD NOT publish TLSA records with usage "1"."
The support for usage "1" simply pretends that the server operator published the right server certificate digest with the wrong usage and treats "1" as though it were "3".