On Fri, Apr 13, 2018 at 04:38:55PM -0400, Richard Barnes wrote: > On Fri, Apr 13, 2018 at 4:30 PM, Nico Williams <n...@cryptonector.com> > wrote: > > It's better to send the denial of existence than no extension -- the > > client could just as well be pinning (because the I-D said it could, or > > because the client does it regardless), and not having extension then > > will cause failure. > > > > Now, clients that don't do opportunistic pinning would have to... notice > > the lack of TLSA RRs, but not necessarily bother validating the denial > > of existence chain. There's not even a need to say that the client > > SHOULD (let alone MUST) validate the denial of existence chain. It > > suffices that the server SHOULD send it. > > Sure seems like it would be simpler to say "Client MUST NOT cache TLSA > state". Yes, that cuts off some use cases. But it avoids all the
That's not the right way to say "no pinning". > transition pain that EKR has pointed out. The I-D needs *some* updates. You and I disagree about which updates, but it needs updates. It cannot be published as-is. Even removing any kind of pinning requires WG consensus at this point. And we've already seem that at least one author support (A), and we could probably easily get support for a (C') where we get the two bytes we're asking for as well but with as much semantics as possible left for a follow-on I-D. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
