On Tue, Nov 20, 2018 at 6:04 PM Salz, Rich <rs...@akamai.com> wrote: > > Sure a list of ciphersuites isn't bad. But the current > design has a set of keys and a set of ciphersuites and a > set of extensions and a set of Rdata values in the RRset. > > Since this is defined for TLS 1.3 with all known-good ciphers, can't that > field be eliminated? >
No, I don't think so. The server might choose to not support one of the TLS 1.3 ciphers, for instance. And even if that weren't true, how would we add new ciphers? -Ekr > > I'd bet a beer on such complexity being a source of bugs > every time. > > All sorts of aphorisms come to mind. :) > > > This has a totally different expiry behavior from RRSIGs, so I'm > > not sure that's that useful an analogy. > > Disagree. They're both specifying a time window for DNS data. > Same problems will arise is my bet. > > I am inclined to agree. > > > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
