On Wed, Apr 17, 2013 at 08:52:44PM -0400, Andrew Sullivan wrote:
> On Thu, Apr 18, 2013 at 12:36:37AM +0200, Martin Rex wrote:
>
> >
> > Viktor's submitted errata is both important and valuable.
>
> That may well be, but I don't think it's an erratum. It's a
> substantive change.
It is an explanation of a somewhat non-obvious interoperability
requirement to server operators who may miss it otherwise. No
change at all. If the server operator publishes TLSA 2 1 1, for
example, but fails to provide the associated certificate, clients
will not be able to verify his chain, even it may seem to many that
publishing the TLSA RR is enough.
I am trying to be flexible in how this is resolved, but surely
Andrew's response is wrong. I will resist what little temptation
exists to explain it again, by now the thread contains more than
enough ways of explaining the same thing. Even Paul has agreed
that my observation is basically sound (and does not change the
standard), the only question that remains is what is the most
effective way to communicate this to server operators so that the
standard will work in practice.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
