On Fri, Jul 7, 2017 at 7:05 PM, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> > Once the client obtains a validated TLSA RRset for the service > endpoint, it may (up to the TTLs of the provided records, validated > to conform to the max ttl of the RRSIGs and not exceed the RRSIG > expiration) simply not omit the extension in subsequent requests, > and validate the server certificate per the cached TLSA RRs. > ( assumed typo: s/not omit/omit/ ) This is quite a reasonable and simple optimization, and I think we should document it in the draft. It may often be short circuited by TLS session resumption, but it's so simple that it's probably worth doing. Thanks! -- Shumon Huque
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
