On Thu, Apr 16, 2015 at 01:50:42PM -0400, Paul Wouters wrote:
> On Thu, 16 Apr 2015, Viktor Dukhovni wrote:
>
> >In any case this draft was ready (and has been largely unchanged)
> >for about a year now, *before* all the fuss about SSL 3.0. Clients
> >MUST support at least TLS 1.0 (to use SNI). Servers MAY support
> >SSL 3.0 (allowing them to publish TLSA RRs with whatever they're
> >running today). At this point we can set the floor at TLS 1.0 if
> >that's better "optics", the number of servers doing just SSL 3.0,
> >whose admins might be tempted to publish DANE TLSA RRs is likely
> >zero.
>
> DANE should not say which TLS version to use. Leave that up to the TLS
> working group ?
Well, since the client MUST SNI, it must support at least TLS 1.0
and send an SSL 3.0 compatible HELLO (so SSL 2.0 is definitely
out). Therefore, the server logically needs to support at least
SSL 3.0, which is what I said, but perhaps as you note silence may
suffice.
So, should we not mention TLS versions at all, and just mention
SNI, with the reader making the "obvious" conclusions? I prefer
to make things explicit so that implementations don't make silly
mistakes.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
