On Sep 19, 2023, at 1:39 PM, Roman Danyliw via Datatracker <nore...@ietf.org> wrote: > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you to Rich Salz for the SECDIR review.
+1 > > I support Paul’s DISCUSS positions. We will respond to those in a separate message. We're working on that now. > > ** Section 4.6.3.4 > Because this probing policy is unilateral and opportunistic, the > client connecting under this policy MUST accept any certificate > presented by the server. If the client cannot verify the server's > identity, it MAY use that information for reporting, logging, or > other analysis purposes. But it MUST NOT reject the connection due > to the authentication failure, as the result would be falling back to > cleartext, which would leak the content of the session to a passive > network monitor. > > What verification is expected? We don't know. It was pointed out in the WG discussion that some PKIX libraries do different types of verification regardless of what you want them to do. > When might it trigger “reporting, logging or > other analysis”? This appears to be library-specific (and probably changes over time as wel...). > I ask because the text seems to unambiguously say all server > certificates must be accepted and then again that no connections can be > rejected. Yes, exactly. Even if you can't stop your library from verifying, you must be able to ignore the verification failures. --Paul Hoffman _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
