On Fri, 9 Nov 2012, Christian Becker wrote:
Date: Fri, 9 Nov 2012 14:18:45
From: Christian Becker <[email protected]>
To: [email protected]
Subject: [dane] no security benefit from insecure or indeterminate domains
Hi,
I am confused by the last paragraph of 4.1 in RFC6698. To my
understanding in the case of a "domain is insecure or indeterminate"
there is no security benefit compared to TLS processed in the normal
fashion. Thus, also in this case the application "SHOULD NOT make any
internal or external indication that TLSA was applied."
Well, for "indeterminate", you know that the DNS was very broken, or
possibly tampered with, and prevented receiving positive or negative
prove from DNS/TLSA.
To me, the actions to perform for "insecure" versus "indeterminate" are
quite different.
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
