There is consensus to adopt this draft as a working group item. I'll work
with the authors to migrate to the official repository and submit an
updated draft.
On Tue, May 21, 2024 at 11:23 AM Eric Rescorla wrote:
> These are all fair points, and it's possible we don't need to do anything
> with
These are all fair points, and it's possible we don't need to do anything
with the transcript.
I don't think we need to resolve this before adoption, I just wanted to
make sure that I said something now to make sure people weren't surprised
later.
-Ekr
On Tue, May 21, 2024 at 6:46 AM David Benj
Servers using DNSSEC won't help unless the client only honors the hint over
DNSSEC, and we do not live in a universe where DNSSEC succeeded to the
point that that's remotely viable.
I think that too can be discussed in detail post adoption, but I think such
a change would negate the value of this
In my opinion, to prevent downgrade attack, server MUST or SHOULD using DNSSEC when announcing DNS record.21.05.2024, 21:48, "David Benjamin" :Off the cuff, folding it into the transcript sounds tricky, since existing TLS servers won't know to do it, and, as with any other DNS hints, we need to acc
Off the cuff, folding it into the transcript sounds tricky, since existing
TLS servers won't know to do it, and, as with any other DNS hints, we need
to accommodate the DNS being out of sync with the server. It'll also be
more difficult to deploy due to needing changes in the TLS stack and
generall
I agree that it's attractive to be able to hint in the HTTPS RR, but I'm
less sure about addressing the basic insecurity of the DNS channel with the
approach this draft takes. I don't have a complete thought here, but what
if we were to somehow fold the hint into the handshake transcript? I
suppose
I support adoption, and am happy to review.
On Sat, May 4, 2024 at 12:05 AM Joseph Salowey wrote:
> This is a working group call for adoption
> for draft-davidben-tls-key-share-prediction. This document was presented
> at IET 118 and has undergone some revision based on feedback since then.
> T
This document does not make any changes to the DNS queries made. It merely
adds a parameter to the existing HTTPS-RR/SVCB record, with pre-existing
rules on who queries it and when, and describes how TLS can use it.
The interaction between HTTPS-RR and proxies is complex and all already
covered by
