Hi, I am confused by the last paragraph of 4.1 in RFC6698. To my understanding in the case of a "domain is insecure or indeterminate" there is no security benefit compared to TLS processed in the normal fashion. Thus, also in this case the application "SHOULD NOT make any internal or external indication that TLSA was applied."
Referred paragraph: "Thus, in order to achieve any security benefit from certificate usage 0 or 1, an application that sends a request for TLSA records needs to get either a valid signed response containing TLSA records or verification that the domain is insecure or indeterminate. If a request for a TLSA record does not meet one of those two criteria but the application continues with the TLS handshake anyway, the application has gotten no benefit from TLSA and SHOULD NOT make any internal or external indication that TLSA was applied." Christian _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
