Am 10.11.2012 01:11, schrieb Paul Wouters: > On Fri, 9 Nov 2012, Christian Becker wrote: >> I am confused by the last paragraph of 4.1 in RFC6698. To my >> understanding in the case of a "domain is insecure or indeterminate" >> there is no security benefit compared to TLS processed in the normal >> fashion. Thus, also in this case the application "SHOULD NOT make any >> internal or external indication that TLSA was applied." > > Well, for "indeterminate", you know that the DNS was very broken, or > possibly tampered with, and prevented receiving positive or negative > prove from DNS/TLSA. > > To me, the actions to perform for "insecure" versus "indeterminate" are > quite different.
I agree, this should be a difference, but 1.) as stated above, the RFC6698 handles these two cases together probably for the reason that 2.) also RFC4033 says in paragraph 5 that "The current signaling mechanism does not distinguish between indeterminate and insecure states." That is why to my understanding it is one case "insecure or indeterminate" and should be handled as the worst case, namely the data could have been tampered and therefor the application "SHOULD NOT make any internal or external indication that TLSA was applied." Christian _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
