On Wed, Apr 4, 2018 at 1:50 PM, Joseph Salowey <j...@salowey.net> wrote:
> Hi Folks, > > Some objections were raised late during the review of > the draft-ietf-tls-dnssec-chain-extension. The question before the > working group is either to publish the document as is or to bring the > document back into the working group to address the following issues: > > - Recommendation of adding denial of existence proofs in the chain > provided by the extension > - Adding signaling to require the use of this extension for a period of > time (Pinning with TTL) > > This is a consensus call on how to progress this document. Please answer > the following questions: > > 1) Do you support publication of the document as is, leaving these two > issues to potentially be addressed in follow-up work? > I support publication of the document as is. I would also be comfortable with a minor modification to say that TLSA certificate usages 0 and 1 (the restrictive ones) MUST NOT be used with this mechanism. Even if this document is restricted to the assertive use cases, it can still be used in cases where clients and servers have agreed to forego the "normal" PKI and rely on DANE, or in cases where servers are able to switch between DANE and non-DANE authentication depending on the client's capabilities. The former pattern could be made to work in the web if there were interest; I believe DKG has indicated that DPRIVE might fall in the former category. While there may be utility in the restrictive use cases, the discussion to date indicates that there is sufficient complexity and controversy involved in making that work that we should not block this document from enabling assertive use cases while that is in progress. --Richard > If the answer to 1) is no then please indicate if you think the working > group should work on the document to include > > A) Recommendation of adding denial of existence proofs in the chain > provided by the extension > B) Adding signaling to require the use of this extension for a period of > time (Pinning with TTL) > C) Both > > This call will be open until April 18, 2018. > > Thanks, > > Joe > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
