On Tue, 19 Sep 2023, Paul Hoffman wrote:
We don't know. It was pointed out in the WG discussion that some PKIX libraries do different types of verification regardless of what you want them to do.
Yes, exactly. Even if you can't stop your library from verifying, you must be able to ignore the verification failures.
That might not be the case. As with "null encryption", these modes are more and more being removed from code bases to avoid exploits. I also do find the value of using selfsigned certs over ACME certs on the auth server pretty low. It's pretty easy to give a nameserver with a static name an automatic ACME based certificate. With the "opportunistic" part being that if the cert fails, to go back to do53. Paul _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
