Re: [TLS] Trusting self-signed TLS certificates - specifically for HTTPS

[Bas Westerbaan]

>
> On the other hand, the actual certificates are not what one
> would want to log anyway.  Instead one would only want to log DS RRsets
> or NODATA proofs from eTLD registries (gTLDs, ccTLDs and also various
> 2LD, 3LD, ...  suffixes operated by TLD registries).


This is the case if you run your own authoritative DNS server. Most do not.
So you'd want transparency on the TLSA records as well.

Similar spamming would be possible by
> obtaining certificates from many CAs and rolling them over as frequently
> as possible.
>

CAs have quite strict rate-limits in place for free certificate issuance,
so it's not a problem.

Best,

 Bas
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Call for adoption of draft-thomson-tls-keylogfile

[Salz, Rich]

>I'm ok with adoption so long as we include sufficient
caveats along the way (and then add more caveats just
in case:-)

In OpenSSL, an application must create a function to do the logging, and call 
an API to register that function.  The library never does this on its own, or 
under control of a flag or environment variable. Something like that, perhaps.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls