On Sat, Jun 07, 2014 at 05:01:58AM -0400, James Cloos wrote:
> VD> Indeed I was/am expecting some TLS implementations to automatically
> VD> negotiate RPK and use keys extracted from the leaf certificate (far
> VD> simpler in mixed environments than configuring separate bare SPKI
> VD> objects).
>
> I tend to expect crypto authors to be more conservative in enabling new
> extensions by default. Heartbleed, of course, demonstrates that such
> conservatism isn't always there....
>
> If it does get added to the libs enabled by default, w/o the need for
> application buy in, things will be radically different than what I
> expected.
I was expecting at least some implementations to be on by default
on the server, and off by default on the client. Then, when the
client asks, and the server is capable, RPK would be used.
If no specification requires any particular default mode of operation,
then likely neither you nor I have any rational basis for our
expectations.
> VD> * The server's responsibility to carefully publish TLSA records
> VD> in such a way that no U/S/M subset is purely past/future, also
> VD> closing the exposure.
>
> That would be my preference.
OK, when I get a chance, I'll write up the desired invariant and
strategies for ensuring it is met in the "ops" draft.
Is there anyone who now or still supports my original suggestion
that clients ought to be cautious in the face of "mixed" TLSA
records? Should the above server TLSA record update strategy be
a BCP or a mandate (RECOMMENDED vs. SHOULD)?
> VD> If the consensus is that PRK enablement in server applications
> VD> needs to be explicit, and it needs to be off by default,
>
> I wasn't advocating either way. Just anticipating that lib and app
> authors would be conservative about the new extension.
>
> And I doubt any will care whether an rfc demands by default or only when
> configured.
Whether or not toolkit implementors "care" (I am guessing they
would), I think stating the requirement (if it is to be a requirement)
is necessary.
So what is the view of the WG re: server RPK support? On by default
OK? Required off by default, unless enabled by server administrator?
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
