> On May 16, 2018, at 1:18 AM, Melinda Shore
> wrote:
>
> Your proposal has been discussed
> at length on the list, it's been discussed at length off the list,
> and there is still no consensus to modify the extension to support
> your use case.
You say that, but there are ~5 people on each s
On 5/15/18 8:22 PM, Viktor Dukhovni wrote:
> It just leaves
> the door open going forward, at negligible cost (two bytes on the
> wire in bandwidth, and zero in implementation).
I would be grateful if you would have a consistent story on this.
Clearly, it's not just two bytes, or there wouldn't be
> On May 16, 2018, at 12:08 AM, Melinda Shore
> wrote:
>
> At any rate this is starting to feel like abuse of process.
I was simply following a security AD's suggestion from today's earlier
thread with the AD's authors and chairs:
> Therefore, if you want to make that change, you need to per
We've had this discussion already, at terrific length.
To my knowledge it's still the case that nobody intends
to implement the proposed changes, and it's still the
case that should there be interest in implementing the
new functionality there's the option of a new extension.
At any rate this is
The present DNSSEC chain draft is subject to a downgrade attack
that strips the extension when the attacker is able to compromise
the WebPKI (obtain a fraudulent certificate from a WebPKI CA).
This limits the extension to just the use-cases (de novo
applications) in which DANE is the only supporte
On Tue, 15 May 2018, Eric Rescorla wrote:
[ On advise of Eric, replaced the large CC: list with the TLS WG list ]
I think I've been pretty clear about my position, but in case it's not clear:
- I'm not sure pinning is a great idea for the reasons I've already mentioned
in the thread (i.e., I
