On Mon, 5 Nov 2018, Benjamin Kaduk wrote:
The draft tries to enable a trust model based on DNSSEC, but due to
missing pinning, fails to deliver that.
A better way is saying the draft enables a trust model that restricts
the webpki, addressing the problems of too many unrestricted root CA
players being accepted by TLS clients these days [provided the draft
adds a mechanism like pinning to prevent downgrade attacks]
If we don't agree on what the draft is trying to do, it seems rather
difficult to attempt to claim that there is WG consensus to publish it.
This seems to suggest that we may need more precise text in the
document about what it is (and is not) trying to do. The slides Sean
posted for the Wednesday session note that fairly early in the timeline
we thought:
I havent looked at the slides yet, I didnt see anything last time I
looked to see what te Wednesday slot would be like.
Primarily aimed at making
DANE practical for HTTPS,
where last-mile considerations
on the client end are a
significant part of the adoption
barrier.
Paul, are you proposing that this would only be PKIX-{EE,CA} to the
exclusion of DANE-{EE,CA}? (In terms of "restricts the webpki".)
No. The restriction of webpki can be to restrict to 0 webpki root CA's
and instead restrict to an EE cert or public key, as per TLSA usage selectors.
I was trying to be as short as possible for Rich, and keep the focus on
ensuring the draft gains support for restricting, for which we currently
have one proposal (pinning).
Paul
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
