Eric, thx a lot for your answer.
We are discussing a lot about that with our community and there is still
no consensus ...
So I come back to you to have clearer information to help us to make the
good decision.
Using DTLS with PSK over UDP, without re-negotiation allowed :
- Is there known
> On Apr 26, 2018, at 2:30 AM, Eric Rescorla wrote:
>
> If you look at HPKP and Expect-CT, you will note that there are a number of
> other fields besides just lifetime (report-uri, include subdomains). I
> recognize
> that opinions vary about whether these are good, but the advantage of havin
On Thu, Apr 26, 2018 at 6:51 AM, Viktor Dukhovni
wrote:
>
>
> > On Apr 26, 2018, at 2:30 AM, Eric Rescorla wrote:
> >
> > If you look at HPKP and Expect-CT, you will note that there are a number
> of
> > other fields besides just lifetime (report-uri, include subdomains). I
> recognize
> > that
> On Apr 26, 2018, at 10:50 AM, Eric Rescorla wrote:
>
>> If we look at Expect-CT and MTA-STS + companion SMTP-TLSRPT we
>> find:
>>
>> * a lifetime field
>> * enforce vs. test
>> * a report URI
>>
>> This specification is always "enforce" (though my pull request
>> changes a MUST use D
On Thu, Apr 26, 2018 at 8:05 AM, Viktor Dukhovni
wrote:
>
>
> > On Apr 26, 2018, at 10:50 AM, Eric Rescorla wrote:
> >
> >> If we look at Expect-CT and MTA-STS + companion SMTP-TLSRPT we
> >> find:
> >>
> >> * a lifetime field
> >> * enforce vs. test
> >> * a report URI
> >>
> >> This spec
On Wed, Apr 25, 2018 at 11:30:02PM -0700, Eric Rescorla wrote:
> Thanks for producing some text. I understand why one might think that
> having a reserved 16-bit field is useful here, but I don't really
> agree.
>
> The conventional reason to reserve this kind of field is that you need
> to leave
On Thu, Apr 26, 2018 at 11:13 AM, Nico Williams
wrote:
> On Wed, Apr 25, 2018 at 11:30:02PM -0700, Eric Rescorla wrote:
> > Thanks for producing some text. I understand why one might think that
> > having a reserved 16-bit field is useful here, but I don't really
> > agree.
> >
> > The convention
On Thu, Apr 26, 2018 at 07:50:08AM -0700, Eric Rescorla wrote:
> On Thu, Apr 26, 2018 at 6:51 AM, Viktor Dukhovni
> wrote:
> > On Apr 26, 2018, Eric Rescorla wrote:
> >
> > * a lifetime field
> > * enforce vs. test
> > * a report URI
We will need only the TTL. We will not need anything el
On Wed, 25 Apr 2018, Eric Rescorla wrote:
The conventional reason to reserve this kind of field is that you need to leave
space for an extension in some PDU, because it's hard to add later. But that's
not true here (or in TLS in general) because we already have an extension
mechanism (indeed, th
On Thu, Apr 26, 2018 at 11:22 AM, Nico Williams
wrote:
> On Thu, Apr 26, 2018 at 07:50:08AM -0700, Eric Rescorla wrote:
> > On Thu, Apr 26, 2018 at 6:51 AM, Viktor Dukhovni >
> > wrote:
> > > On Apr 26, 2018, Eric Rescorla wrote:
> > >
> > > * a lifetime field
> > > * enforce vs. test
> > >
On Thu, Apr 26, 2018 at 8:22 AM, Nico Williams
wrote:
> On Thu, Apr 26, 2018 at 07:50:08AM -0700, Eric Rescorla wrote:
> > On Thu, Apr 26, 2018 at 6:51 AM, Viktor Dukhovni >
> > wrote:
> > > On Apr 26, 2018, Eric Rescorla wrote:
> > >
> > > * a lifetime field
> > > * enforce vs. test
> > >
> On Apr 26, 2018, at 11:41 AM, Richard Barnes wrote:
>
> Until my DNSSEC signing infra breaks, the signatures expire, and now my
> server is bricked.
If that happens, you're bricked anyway, the 1.1.1.1, 8.8.8.8, 9.9.9.9,
64.6.64.6, ... resolvers all validate and are used by a broad and
rapid
On Thu, Apr 26, 2018 at 11:41:05AM -0400, Richard Barnes wrote:
> On Thu, Apr 26, 2018 at 11:22 AM, Nico Williams
> wrote:
>
> > On Thu, Apr 26, 2018 at 07:50:08AM -0700, Eric Rescorla wrote:
> > > On Thu, Apr 26, 2018 at 6:51 AM, Viktor Dukhovni > >
> > > wrote:
> > > > On Apr 26, 2018, Eric Re
On Thu, Apr 26, 2018 at 08:41:18AM -0700, Eric Rescorla wrote:
> On Thu, Apr 26, 2018 at 8:22 AM, Nico Williams
> wrote:
> > Because we'd pin only to the use of this extension, the TTL is
> > sufficient.
>
> I explained in my response to Victor why this isn't so.
I don't accept that explanation.
On Thu, Apr 26, 2018 at 11:53:29AM -0400, Viktor Dukhovni wrote:
> Of course given evermore sophisticated BGP attacks:
>
> https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/
>
> you might actually want to consider DNSSEC, implement it properly
> and monitor, and the bricking won't hap
> On Apr 26, 2018, at 11:41 AM, Eric Rescorla wrote:
>
> This discussion would probably be a lot more productive if you were
> able to have it without accusing other participants of acting in bad
> faith.
[ Well the objections do seem rather hypothetical, and the thing being
objected to (a 1
As a secondary issue related to this. My client is currently implementing the
handshake protocol a little too faithfully to the 1.2 DTLS specification.
Since the client side reliability loop does not have any discussion on deciding
that the server has gone dark or is just never going to respon
17 matches
Mail list logo
