On Tue, Nov 06, 2018 at 12:01:52AM -0500, Paul Wouters wrote:
> On Mon, 5 Nov 2018, Benjamin Kaduk wrote:
>
> >>The draft tries to enable a trust model based on DNSSEC, but due to
> >>missing pinning, fails to deliver that.
> >>
> >>A better way is saying the draft enables a trust model that restricts
> >>the webpki, addressing the problems of too many unrestricted root CA
> >>players being accepted by TLS clients these days [provided the draft
> >>adds a mechanism like pinning to prevent downgrade attacks]
> >
> >If we don't agree on what the draft is trying to do, it seems rather
> >difficult to attempt to claim that there is WG consensus to publish it.
> >
> >This seems to suggest that we may need more precise text in the
> >document about what it is (and is not) trying to do. The slides Sean
> >posted for the Wednesday session note that fairly early in the timeline
> >we thought:
>
> I havent looked at the slides yet, I didnt see anything last time I
> looked to see what te Wednesday slot would be like.
>
> > Primarily aimed at making
> > DANE practical for HTTPS,
> > where last-mile considerations
> > on the client end are a
> > significant part of the adoption
> > barrier.
> >
> >Paul, are you proposing that this would only be PKIX-{EE,CA} to the
> >exclusion of DANE-{EE,CA}? (In terms of "restricts the webpki".)
>
> No. The restriction of webpki can be to restrict to 0 webpki root CA's
> and instead restrict to an EE cert or public key, as per TLSA usage selectors.
>
> I was trying to be as short as possible for Rich, and keep the focus on
> ensuring the draft gains support for restricting, for which we currently
> have one proposal (pinning).
Okay, thanks.
-Ben
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
