On Mon, Mar 17, 2014 at 02:46:41PM -0400, Paul Wouters wrote:
> >My proposal modifies the pseudo-code
> >to loop over only those records (for each usage/selector) with the
> >strongest digest plus any records with matching type 0.
>
> So I agree with you that is the right approach. I am not sure if I
> agree that we should try and write that into an RFC other than
> "according to local policy".
>
> but the text should clearly not be like 6698, that would technically
> violate the RFC if your method of local policy is implemented.
The motivation to publish the proposed digest algorithm agility
algorithm is to encourage (coerce) server operators to make sure
that they always use "cross product" TLSA RRsets:
for each usage
for each selector(for that usage)
for each supported digest
for each object (of given usage and selector)
publish usage selector mtype(digest) {digest(object)}
since the set of digests is the same for every object, it is safe
to ignore any subset of the non-zero mtypes.
Now this is in some sense already implied by 6698 since the server
operator does not know which digests might be excluded by a 6698
4.1 local policy. The goal is to both highlight this requirement,
and to encourage (require) clients to implement agility rather than
leave it to implementor's imagination.
In Postfix, users get to configure which digests are acceptable
and their priority. The default is to support both SHA2-256 and
SHA2-512 and to prefer the latter.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
