On Wed, Jul 18, 2018 at 01:54:09AM -0700, Eric Rescorla wrote: > On Tue, Jul 17, 2018 at 7:30 PM, Viktor Dukhovni <ietf-d...@dukhovni.org> > wrote: > > > > c. Testing is not a good fit at this layer, all that's > > pinned is the ability to deliver the extension, after a > > previous connection delivered DANE TLSA records and a > > non-zero extension support lifetime. There is no TLS-layer > > mechanism for the client to inform servers that don't > > offer the extension that this extension was expected > > while continuing the connection. The closest we get is > > the TLS 1.3 missing_extension(109) alert, which does not > > carry the id of the mission extension, and is a failure > > alert. Out-of-band notification would require HTTP > > support in applications that can't generally be expected > > to include an HTTP implementation. > > > > To the extent to which this is true, it's an argument that one should be > pinning at a different layer.
Whichever layer the pinning is to be done at, the thing to pin, and for how long, all need to be transported, and since that thing is in TLS, so should the "for how long". Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
