On Thu, Apr 26, 2018 at 11:22 AM, Nico Williams <n...@cryptonector.com> wrote:
> On Thu, Apr 26, 2018 at 07:50:08AM -0700, Eric Rescorla wrote: > > On Thu, Apr 26, 2018 at 6:51 AM, Viktor Dukhovni <ietf-d...@dukhovni.org > > > > wrote: > > > On Apr 26, 2018, Eric Rescorla <e...@rtfm.com> wrote: > > > > > > * a lifetime field > > > * enforce vs. test > > > * a report URI > > We will need only the TTL. We will not need anything else. This is NOT > like HPKP. This will pin only the use of the extension, and NOT EVEN > the use of DANE since you can send a denial of existence and you can > *always*[*] do that if you stop wanting DANE. > Until my DNSSEC signing infra breaks, the signatures expire, and now my server is bricked. --Richard > > [*] unless you're operating in an alternate DNS universe where no zone > is signed, not even the root zone, but then you wouldn't have used > this extension ever, and you'd not have pinned it). > > Because we'd pin only to the use of this extension, the TTL is > sufficient. > > > > This specification is always "enforce" (though my pull request > > > changes a MUST use DANE to a SHOULD with some necessary added > > > conditions) and since the report URI is in good measure to > > > support non-enforce mode, we're back to just max-age. > > > But this reinforces my point. I think we ought to have an enforce vs > > test flag and a report URI (and I I don't find your arguments above > > about why we shouldn't do this persuasive.) Standardizing this > > functionality would require resolving these issues. > > Strawman. These are make-believe issues. Is it just to give the > appearance that we couldn't possibly reach consensus on just two bytes? > > Nico > -- > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
