On Sun, 26 Apr 2015, Scott Kitterman wrote:
There is nothing left to harden. The presence of TLSA means, never go
to the insecure port.
Yes, when the client is not already committed to using TLS, i.e. it is
opportunistic.
The opportune part is "hey, they are publishing a key to use for
crypto". Once you're at that stage, doing TLS is not optional, but
mandatory (IMHO, because people did not want to commit to this
in the original DANE RFC)
Given https://tools.ietf.org/html/rfc7435 I don't see where there's ambiguity
about what opportunistic is.
In Viktor's wording of "not already committed to using TLS" being equal
to opportunistic.
During the opportunistic (security) process you can become committed,
so the phrasing of committed versus opportunistic is a little
confusing/misleading, because opportunistic implies "can result in
plaintext".
In my view, using opportunistic can result in a commitment (hard fail) to TLS.
That's why I thought Viktor's choice of words were confusing.
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
