On Tue, 19 Sep 2023, Paul Hoffman wrote:
We don't know. It was pointed out in the WG discussion that some PKIX libraries
do different types of verification regardless of what you want them to do.
Yes, exactly. Even if you can't stop your library from verifying, you must be
able to ignore th
> On Sep 20, 2023, at 2:32 PM, Paul Wouters wrote:
>
> On Tue, 19 Sep 2023, Paul Hoffman wrote:
>
>> We don't know. It was pointed out in the WG discussion that some PKIX
>> libraries do different types of verification regardless of what you want
>> them to do.
>
>> Yes, exactly. Even if y
Paul,
On 9/20/23 14:41, Paul Hoffman wrote:
I also do find the value of using selfsigned certs over ACME certs
on the auth server pretty low. It's pretty easy to give a nameserver
with a static name an automatic ACME based certificate. With the
"opportunistic" part being that if the cert fails,
It appears that Paul Hoffman said:
>Is there widespread availability for "ACME certs" for authoritative DNS name
>servers that have no web server component reasonably available
>now? When I looked a few years ago, they weren't at all.
I have over 300 certs here all using DNS verification. I use
On Wed, 20 Sep 2023, Paul Hoffman wrote:
That might not be the case. As with "null encryption", these modes are
more and more being removed from code bases to avoid exploits.
At that point, you couldn't use the library any more, correct?
At that point, you would not have a library anymore th
Murray Kucherawy has entered the following ballot position for
draft-ietf-dprive-unilateral-probing-12: No Objection
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Ple
