On Mar 17, 2014, at 11:22 AM, Viktor Dukhovni <[email protected]> wrote:
> On Mon, Mar 17, 2014 at 11:14:32AM -0700, Paul Hoffman wrote:
>
>>> There is no text in 6698 that even approximately suggests that clients
>>> get to use only the records with the strongest (local criteria) digest.
>>
>> In Section 4.1:
>> o A TLSA RRSet whose DNSSEC validation state is secure MUST be used
>> as a certificate association for TLS unless a local policy would
>> prohibit the use of the specific certificate association in the
>> secure TLSA RRSet.
>
> This is not "use strongest".
Correct.
> This is the opposite.
Not correct. It allows local policy of any sort. Some local policies will be
"do not use X because it is weak".
> It forces the
> use of tarnished, but still acceptable digests even when untarnished
> digests are present.
It does not because that choice is local policy.
> The new proposal is to ignore all but the
> strongest, even when the remainder would be usable.
That new proposal mandates a view of "strongest". Local policy should still
trump that mandate.
> Also the pseudo-code in the appendices loops over *all* "usable" TLSA
> RRs (those not banned by 4.1).
Correct. And RRs that are prohibited by local policy have already been removed:
for each R in TLSArecords {
// unusable records include unknown certUsage, unknown
// selectorType, unknown matchingType, erroneous RDATA, and
// prohibited by local policy
if (R is unusable) {
remove R from TLSArecords
}
}
> My proposal modifies the pseudo-code
> to loop over only those records (for each usage/selector) with the
> strongest digest plus any records with matching type 0.
Over-riding local policy is a non-starter, at least in my opinion.
Also: your focus on digests is possibly misplaced; why do you believe that a
digest is more likely to be tarnished than a signature algorithm itself?
--Paul Hoffman
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
