Hi,
I am aware this discussion have moved to uta (added to cc), but I do not
have any thread there to respond yet. And I have idea dnsop people might
want to comment about.
First issue is this should allow banning devices stolen to deny access
into protected internal names. To make it possib
thanks for clearing this up. tls 1.3 failures are going to be pretty common,
because in non-enterprise contexts without local certificate authorities, the
risk imposed by ECH will be seen as too great. i guess we'll have to let the
market sort it out.
--
P Vixie
On Thursday, July 25, 2024 7:2
Thursday, July 25, 2024 12:11 AM
To: Paul Wouters ; Ben Schwartz
Cc: Tommy Jensen ; dnsop ; Damick,
Jeffrey ; Engskow, Matt ; Jessica
Krynitsky
Subject: Re: [DNSOP] Re: [EXTERNAL] New Version Notification for
draft-tjjk-cared-00.txt
On Tuesday, July 23, 2024 1:56:50 PM PDT Ben Schwartz wr
--
> *From:* Paul Vixie
> *Sent:* Tuesday, July 23, 2024 4:01 PM
> *To:* Paul Wouters
> *Cc:* Tommy Jensen ; Ben Schwartz <
> bem...@meta.com>; dnsop ; Damick, Jeffrey <
> jdam...@amazon.com>; Engskow, Matt ; Jessica
> Krynitsky
> *Subject:* Re: [DNSOP] R
On Tuesday, July 23, 2024 1:56:50 PM PDT Ben Schwartz wrote:
> It seems like there's some confusion here. ECH is an extension to TLS that
> is still under development (and now nearly final). Use of ECH is optional
> in TLS 1.3. Any entity that can control the TLS version in use also has
> the ab
rsion Notification for
draft-tjjk-cared-00.txt
--
P Vixie
On Tuesday, July 23, 2024 12:52:28 PM PDT Paul Wouters wrote:
> On Jul 23, 2024, at 12:09, Paul Vixie
wrote:
> > Making TLS 1.2 available as a fallback is vital. Many secure private edge
> > networks will never allow TLS 1.3 bec
: Re: [DNSOP] Re: [EXTERNAL] New Version Notification for
draft-tjjk-cared-00.txt
You don't often get email from kond...@gmail.com. Learn why this is
important<https://aka.ms/LearnAboutSenderIdentification>
In enterprise networks, DNS services typically enforce policies at the
organizati
--
P Vixie
On Tuesday, July 23, 2024 12:52:28 PM PDT Paul Wouters wrote:
> On Jul 23, 2024, at 12:09, Paul Vixie
wrote:
> > Making TLS 1.2 available as a fallback is vital. Many secure private edge
> > networks will never allow TLS 1.3 because of ECH.
>
> You can do TLS 1.3 without ECH ?
if
On Jul 23, 2024, at 12:09, Paul Vixie wrote:
>
>
> Making TLS 1.2 available as a fallback is vital. Many secure private edge
> networks will never allow TLS 1.3 because of ECH.
You can do TLS 1.3 without ECH ?
Making a weaker version of TLS mandatory would be unwise, unless it’s to give
mor
On Monday, July 22, 2024 5:11:23 PM PDT Jessica Krynitsky wrote:
> Thanks Ben and Erik for the comments!
>
> Erik, yes I agree, I think we had TLS 1.3 in mind when writing the draft and
> when evaluating alternatives for this encrypted DNS scenario. I think we
> can make an edit to specify TLS 1.3
In enterprise networks, DNS services typically enforce policies at the
organization and user-group levels, rather than at the individual user
level. DNS filtering is generally not imposed based on individual user
identities. It would be interesting to evaluate other possible solutions
that could e
2024 2:41 PM
To: dnsop
Cc: Damick, Jeffrey ; Jessica Krynitsky
; Engskow, Matt
Subject: [DNSOP] Re: [EXTERNAL] New Version Notification for
draft-tjjk-cared-00.txt
Hello dnsop,
Not to distract from the "should we deprecate DNS64" discussion I started after
proposing updates to 70
___
From: Tommy Jensen
Sent: Thursday, June 27, 2024 2:41 PM
To: dnsop
Cc: Damick, Jeffrey ; Jessica Krynitsky
; Engskow, Matt
Subject: [DNSOP] Re: [EXTERNAL] New Version Notification for
draft-tjjk-cared-00.txt
Hello dnsop,
Not to distract from the "should
m a co-chair of PRIVACYPASS but I am speaking only as an individual
participant..
From: Tommy Jensen
Sent: Thursday, June 27, 2024 2:41 PM
To: dnsop
Cc: Damick, Jeffrey ; Jessica Krynitsky
; Engskow, Matt
Subject: [DNSOP] Re: [EXTERNAL] New Version Notification for
draft-tjjk-cared-00.txt
ica Krynitsky
; Engskow, Matt
Subject: [DNSOP] Re: [EXTERNAL] New Version Notification for
draft-tjjk-cared-00.txt
Hello dnsop, Not to distract from the "should we deprecate DNS64" discussion I
started after proposing updates to 7050, but this is the second draft (last
one, I promise) I'
I think mTLS (client certs) makes sense as a recommendation in
draft-tjjk-cared, but is critical to call out the privacy issues with TLS
client certs in TLS versions prior to TLS 1.3. (ie, in TLS 1.2 and before
the client certificates are sent in-the-clear in the handshake unless
renegotiation is
Hello dnsop,
Not to distract from the "should we deprecate DNS64" discussion I started after
proposing updates to 7050, but this is the second draft (last one, I promise)
I'll be proposing to this group as interesting work ahead of IETF 120. Joining
me are co-authors Jessica from Microsoft and
17 matches
Mail list logo
