Right, so reading up on TLSA, I can see how the port, certificate and certificate metadata are defined together and obviously I think this is a great implementation to kill of CAs as we know them.
However, I don't see why the TLSA syntax must require the preferred port AND the certificate hash as well. A systems administrator want to only specify use of say 443/TLS whilst relying on the existing CA system for certificate validation. Sure this is not where we want to be long term, but allowing to implement partial TLSA features would simplify things wouldn't it? Therefore I believe my proposal is to allow a cut-down implementation of TLSA for this purpose. On Sun, Apr 26, 2015 at 11:56 PM, Viktor Dukhovni <[email protected]> wrote: > On Sun, Apr 26, 2015 at 11:51:34PM +0100, Chris Monteiro wrote: > >> Reading up on HASTLS, it appears at first glance that the ins-port / >> sec-port etc combinations covers my use-case of advertising and >> preferring a secure connection. >> >> Is there any activity with HASTLS that I could contribute to? > > He's dead Jim. TLSA records subsume whatever purpose HASTLS might > have served. Long live the King. > > -- > Viktor. > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
