summaryrefslogtreecommitdiff
path: root/doc/doc-txt
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2014-08-17 00:41:17 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2014-08-17 00:41:17 +0100
commit594706ea2e56fe8c972eab772bd3e58c7a0c89ab (patch)
tree1e6de688b877331fcb6677ed1e28e222cd10fc14 /doc/doc-txt
parentfde080a4f34a8eb0f92af6dfc7e4e6ae01fd61f8 (diff)
Add observability variables and provision for avoiding OCSP conflicts
Diffstat (limited to 'doc/doc-txt')
-rw-r--r--doc/doc-txt/experimental-spec.txt25
1 files changed, 24 insertions, 1 deletions
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index b1b89e007..c060a6c5a 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -1235,7 +1235,25 @@ must have a correct name (SubjectName or SubjectAltName).
The use of OCSP-stapling should be considered, allowing
for fast revocation of certificates (which would otherwise
be limited by the DNS TTL on the TLSA records). However,
-this is likely to only be usable with DANE_TA.
+this is likely to only be usable with DANE_TA. NOTE: the
+default is to request OCSP for all hosts; the certificate
+chain in DANE_EE usage will be insufficient to validate
+the OCSP proof and verification will fail. Either disable
+OCSP completely or use the (new) variable $tls_out_tlsa_usage
+like so:
+
+ hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \
+ {= {0}{$tls_out_tlsa_usage}} } \
+ {*}{}}
+The variable is a bitfield with numbered bits set for TLSA
+record usage codes. The zero above means DANE was not in use,
+the four means that only DANE_TA usage TLSA records were
+found. If the definition of hosts_require_ocsp or
+hosts_request_ocsp includes the string "tls_out_tlsa_usage",
+they are re-expanded in time to control the OCSP request.
+
+[ All a bit complicated. Should we make that definition
+the default? Should we override the user's definition? ]
For client-side DANE there are two new smtp transport options,
@@ -1260,6 +1278,11 @@ and dnssec_require_domains is ignored.
If verification was successful using DANE then the "CV" item
in the delivery log line will show as "CV=dane".
+There is a new variable $tls_out_dane which will have "yes" if
+verification succeeded using DANE and "no" otherwise (only useful
+in combination with EXPERIMENTAL_TPDA), and a new variable
+$tls_out_tlsa_usage (detailed above).
+
--------------------------------------------------------------
End of file