On Tue, May 19, 2015 at 07:46:07PM -0700, Peter Saint-Andre - &yet wrote:
[ Sorry, I'm on the road, and cycles are limited. ]
> >>NEW
> >> SRV is secure: The reference identifiers SHALL include both the
> >> service domain and the SRV target server host name (e.g., include
> >> both "im.example.com" and "xmpp23.hosting.example.net"). The
> >> service domain is still the preferred name for TLS SNI or its
> >> equivalent (this reduces code complexity and the possibility of
> >> interoperability problems).
> >
> >I object. The fix is to delay the decision until the presence of
> >TLSA records has been checked.
>
> Viktor, the text in question is from ?4.1, which begins as follows:
>
> 4.1. SRV Records Only
>
> If the client received zero usable TLSA certificate associations...
In that case, this is a pure legacy use-case, and no incompatible
behaviour should be introduced.
> The whole point of 4.1 is to address the case where we have SRV records and
> no usable TLSA records. Naturally, the client can't know that it has no
> usable TLSA records "until the presence of TLSA records has been checked" as
> you say. I'd agree with you if we were proposing to change text in 4.2, but
> we're not, so I don't see the force of your objection.
I did not get a chance to read the text in context. Adding the target name
as a secondary indentifier is fine, but indeed the SNI name should not
change absent signalling via TLSA RRs.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
