> On Apr 28, 2018, at 3:04 PM, Shumon Huque <shu...@gmail.com> wrote:
>
> This mean "additive" mandatory or non-mandatory, I assume. Viktor opposes
> the latter case, I assume based on his (unproven) assertion that there will no
> incentive to deploy this.. I don't agree. Lots of sites already publish DANE
> for
> HTTPS records even before browsers can use them (IETF, freebsd, debian,
> torproject, defcon, ripe, etc). Once code is implemented/deployed they will be
> using it.
My arguments are sound. Would you care to estimate what fraction of
published _443._tcp TLSA records actually match the site's certificate
chain? What non-hobbyist sites publish such records?
It may be cool to play DANE for HTTPS when nobody is verifying, and
there's no operational burden of keeping the records correct, (the
one BENEFIT listed in my cost/benefit list), but real deployments
need real incentives.
With Let's Encrypt available, and no downgrade protection for
HTTPS with DANE (via this extension) the incentive to support
it is nil.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
