On Sat, 10 Nov 2012, Christian Becker wrote:
I agree, this should be a difference, but
1.) as stated above, the RFC6698 handles these two cases together
probably for the reason that
2.) also RFC4033 says in paragraph 5 that "The current signaling
mechanism does not distinguish between indeterminate and insecure states."
That is why to my understanding it is one case "insecure or
indeterminate" and should be handled as the worst case, namely the data
could have been tampered and therefor the application "SHOULD NOT make
any internal or external indication that TLSA was applied."
If you are under attack (possible when in indeterminate) I would hope
the user gets to see more then the lack of a security identifier.
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
