Todd Short

> @tmshort are there any known issues with quictls/openssl resumption/0-RTT changes when upgrading from v1.1.1 to v3.0? All our tests in these areas fail if we try to use v3.0....

ping @openssl/committers ?

Thanks @vdukhovni, I'm not familiar with DANE. Given that RPKs are just that, a single key, will using DANE work without a chain? That being said, I'm a bit confused...

@vdukhovni thanks for the info!

RPK is negotiated; both peers have to support the option. So, there's no chance that a client will receive a RPK unless they specifically ask/allow for it. And to be...

> Requiring an explicit public key to match the peer's RPK is too restrictive. It should be possible to match it by its digest, and the digest or full key...

@vdukhovni don't get me wrong, I do appreciate your feedback. I'm still a bit hesitant on requiring the use of DANE APIs in order to use RPKs. As you alluded...

Still need to update `s_client`/`s_server`m but otherwise I think this wraps up the DANE integration.

This might be considered a non-security fix for a version (1.1.1) that is out of support this year (per @paulidale's comment above).

This is just the API and documentation, to see if this makes sense before expending the effort on an implementation. This should satisfy @hlandau's request for GREASE in the Certificate...