On Thu, Apr 26, 2018 at 07:50:08AM -0700, Eric Rescorla wrote:
> On Thu, Apr 26, 2018 at 6:51 AM, Viktor Dukhovni <ietf-d...@dukhovni.org>
> wrote:
> > On Apr 26, 2018, Eric Rescorla <e...@rtfm.com> wrote:
> >
> > * a lifetime field
> > * enforce vs. test
> > * a report URI
We will need only the TTL. We will not need anything else. This is NOT
like HPKP. This will pin only the use of the extension, and NOT EVEN
the use of DANE since you can send a denial of existence and you can
*always*[*] do that if you stop wanting DANE.
[*] unless you're operating in an alternate DNS universe where no zone
is signed, not even the root zone, but then you wouldn't have used
this extension ever, and you'd not have pinned it).
Because we'd pin only to the use of this extension, the TTL is
sufficient.
> > This specification is always "enforce" (though my pull request
> > changes a MUST use DANE to a SHOULD with some necessary added
> > conditions) and since the report URI is in good measure to
> > support non-enforce mode, we're back to just max-age.
> But this reinforces my point. I think we ought to have an enforce vs
> test flag and a report URI (and I I don't find your arguments above
> about why we shouldn't do this persuasive.) Standardizing this
> functionality would require resolving these issues.
Strawman. These are make-believe issues. Is it just to give the
appearance that we couldn't possibly reach consensus on just two bytes?
Nico
--
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
