On Wed, Feb 28, 2018 at 3:07 PM, Nico Williams <n...@cryptonector.com> wrote:
> IF there's an objection to modifying the extension in order to add a > pin-to-DANE TTL field, I would propose the following instead: > > Make the pin-to-DANE be "forever" but make it so it can easily be > cleared if DANE is undeployed for the service. > This option is already covered in the draft. It doesn't use the term pinning, but does mention caching the existence of DANE on first contact and requiring it subsequently (if clients want to do so). I do not know if the draft authors and/or WG have an appetite to do the much more major change suggested by Viktor (i.e in-protocol pinning TTL commitment and requiring subsequent denial of existence proof if DANE is removed). Shumon.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
