On 12 May 2014, at 22:42, Viktor Dukhovni <[email protected]> wrote:
>> Interesting are you you are saying we want to examine/specify >> client side DANE records (right now DANE is all about server side records). > > Yes, but we likely can't specify the lookup keys in an application > neutral manner. Rather we can discuss the problem generally, and > allow individual application protocols to construct appropriate > keys. Still there could be some guidance on how to apply DANE to > TLS client identity (when the client identity can be mapped to a > suitable name in DNS). That is something that also applies to SIP, where we have an RFC about connection reuse in SIP/TLS. For server to server connections it is important to be able to verify a list of domains each side is authorized to use. Today we do this with a long list of domains in SAN, but since my DANE/SIP draft removes that list for server certificates, we are now in a situation where client certs use SAN and the server, if using DANE, does not. The question it then boils down to is how I verify an incoming connection from an IP address with a name. Maybe a DNSsec-secured reverse lookup is a starting point. What's the state of DNSsec in .arpa ? /O _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
