>>>>> "CN" == Chris Newman <[email protected]> writes:
CN> *2* I believe it's undesirable to attempt to deploy DANE TLSA for CN> submission services (port 587 or de-facto port 465) TLSA SHOULD be checked for *all* TLS connections by clients. We should not have any RFCs which try to exempt certain ports, nor recommend avoiding DANE for certain ports or services. We want the TLS libraries to implement it (as gnutls has done) and for applications to take advantage of DANE whenever they initiate TLS sockets. The only real question is what to do when provided just an ip address. Should the TLSA be checked in arpa., or should it look under the name returned by a PTR lookup? -JimC -- James Cloos <[email protected]> OpenPGP: 1024D/ED7DAEA6 _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
