> On Apr 28, 2018, at 2:17 PM, Richard Barnes <r...@ipv.sx> wrote:
>
> Let's just scope this to the additive case.
When you say "additive case" do you mean to cover just applications
where the extension is mandatory? Or you expect the extension to
also have some value when it is optional?
I thought I explained fairly well why optional use does not pan out,
there was no cost/benefit to refute the one I posted (quoted below).
Servers will never start deploying the non-mandatory 'additive case',
absent downgrade protection, it makes no sense for them to do that:
--- Viktor Dukhovni <ietf-d...@dukhovni.org>, 2018-04-08 19:27:36-0400 ---
And yet, as it stands, the deployment cost-benefit analysis for this
extension in existing applications plays out as follows:
COSTS:
* You still manage WebPKI certificates to support the majority of existing
clients.
* If the WebPKI is compromised, you're compromised.
* If DNSSEC is compromised, you're compromised
* You pay the complexity cost of also supporting the extension
* You might present incorrect TLSA records and the connection might fail
even when
it would otherwise succeed with WebPKI
BENEFITS:
* Nothing other than bragging rights that you're cool enough to
deploy a shiny new technology
---
Notably, just a confirmation that the above is basically sound:
--- Martin Thomson <martin.thom...@gmail.com>, 2018-04-05 12:07:57+1000 ---
Your cost benefit analysis seems about right though.
---
So with downgrade protection out, the present scope is *exactly* the
applications where the extension is mandatory (whatever these might be).
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
