On Wed, Apr 04, 2018 at 05:33:27PM -0400, Paul Wouters wrote: > On Wed, 4 Apr 2018, Joseph Salowey wrote: > >A) Recommendation of adding denial of existence proofs in the chain provided > >by the extension > >B) Adding signaling to require the use of this extension for a period of > >time (Pinning with TTL) > >C) Both > > These options need a bit of clarification. > > If you do A) then by publishing the proof of non-existance records, you > can cancel any outstanding kind of pin done. And you would not need B)
Hmm, not quite. You might want to publish the "clear the pin" (TTL == zero) without having to first stop publishing TLSA RRs. The idea is to first ramp up the TTL, and if there's any problems / change of mind, ramp it down and remove the TLSA RRs when the last possible extant pin must have expired. Therefore I think (B) is more urgent. (A) is even more trivial than (B), so there's no reason not to do both ((C)). > [..] > > So to support all cases, I would say C) but I think B) would get us > pretty far on a lot of deployments. +1 > The document's intension is clearly to staple DNSSEC answers for the > TLSA query on the TLS handshake. Omiting proof of non-existence means > it fails to achieve its specified goal and makes this TLS extension > completely useless[*] +1 Thanks, Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
