On 5/16/2018 5:34 PM, Viktor Dukhovni wrote: > For the record, the reason that we're confident that two bytes are > enough is that DNS TTLs already take care of sub-hour continuity > for any provided TLSA records. So units of hours are natural, and > make 16 bits quite sufficient.
The way I understand it, your proposal is not so much to "reserve 16 bits" but rather to "include a 16 bit field defined as the pinning time in hours". Or maybe, "reserve 16 bits as set to zero on send and ignored on receive" in the current TLS DNSSEC draft, let it be published as RFC, and publish very soon a draft that defines the 16 bit field as the pinning time in hours, and presumably explains how to avoid the usual pitfalls of pinning. Do I understand correctly? -- Christian Huitema _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
