-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Yoav,
About: DNSSEC can detect filtered out information (often not understood as it involves that complicated denial of existance part of DNSSEC). On 10/12/2012 11:24 AM, Yoav Nir wrote: > Hi Marc > > I assume you're talking about TLS proxies rather than HTTP > proxies. Those are in a position to sign certificates on behalf of > al the https servers in the world, that would be trusted by the > client. If they have that kind of control, I don't see how they'd > have any problem either filtering out TLSA records from DNS queries > and responses or getting the client to trust their own signatures. A resolver can detect that TLSA records have been filtered out. (but cannot then reconstruct that data, i.e. no connection). > A draft from a few months ago ( > http://tools.ietf.org/html/draft-mcgrew-tls-proxy-server-01 ) > would solve this problem, as it allows the client to see the real > certificate. But that TLS extension was rejected, so it's pretty > much dead. Well, would not see the real certificate, but know that trouble exists (TLSA got filtered) and can stop the connection. Technically, the resolver knows that 'it could not successfully prove that the TLSA did not exist', and it cannot get a TLSA. So, the fallback to plain PKIX should not be performed. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQd+TgAAoJEJ9vHC1+BF+NI0kQAKs+k0s4hZKXFiGmo2ZUoBD2 IUbLdOGwKCEn4e2t1pZMidMOYxBgBdWj4PqiLTIb9iss9kJSYd1AKcm6AJUgaXyc 7n+fQO6VilixLAGrpw63p/HuvCQif50KZCcc6zJHKz5US9U7utULh+CEQIdv+cnf U3+UjyWv8dqeULFrNYwowUG1MgF2gquSOiZJb5IWFBIjm3G5vKDkzdnRSAp7x0Pq qvBr9wDeP9znTsjhVOh78wTOJWVyQWRR/xoZGxd8k0CwF0pA9uPzbO/pXJ7XOy92 9EJ3uYaFviApgv1suW4/Y9GKZ1JSJYt8lPpJ/KTKOr5F2wn1E/MAZAgSPgvqBrsf ZF+ZTy0xO17ulpLyTQ5bsvePiNu8Z6n6eluXoUUzFLern+CKMj1VoUgftYS+j6xv sqbUoPjD+SkVIyqPF4+Gc7waw7vzW8vTzbVBwRFRqlhjAm6nCYIxUHe484fuGXL5 GaHN37IFfSaws890k0sEOnyQ17t6J9uoLBV8gqdDnXn2NDbgYJTBnU2pXAIV+ib8 +GblV6Kwz947cc9vOrWuKaktpz9qUEQ1iLq8lgTVrnHMHF+bpnLCocgCXFkEgRut FjTgdTY6UjBP9/64n5waRmxJlKVCcxuRVdKLycUCOjtb38lsmefqFy+FQM8JQSmf XNprdST3uRblIm17rWb7 =704F -----END PGP SIGNATURE----- _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
