On Wed, Jul 29, 2015 at 08:17:28AM -0700, Barry Leiba wrote:
> NEW
> DANE TLSA records validated by
> DNSSEC can be used to augment or replace the use of trusted public
> END
Thanks, done.
> NEW
> [RFC6698] defines three TLSA record fields, the first with 4 possible
> values, the second with 2, and the third with 3.
> END
Thanks, done.
> NEW
> When a server supports SNI but is not configured with a certificate
> chain that exactly matches the client's SNI extension, the server
> SHOULD respond with another certificate chain (a default or closest
> match). This is because clients might support more than one server
> name, but can only put a single name in the SNI extension.
> END
Thanks, done.
> -- Section 4 --
>
> Protocol designers need to carefully consider which set of DANE
> certificate usages to support.
>
> I'm not sure why this (and the next sentence) is referring to "protocol
> designers". Is this not aimed at implementation/deployment choices? If
> that's not correct, who are the targets for this advice?
This should likely say "application protocol designers". The point
being that the use of DANE TLSA RRs in a particular application
(as with e.g. SMTP) can be defined (more specifically than in
RFC6698 and this draft) by an application-specific standard.
> I also find this section to be rather hard to follow -- I can't clearly
> figure out what the advice really is. Can you do a little reorganization
> here, separating the advice out from the explanation of why? I don't
> care whether you put the explanation first or the advice first, but it
> would help to have one paragraph that says, clearly and without fuss,
> what the recommendation is. This applies to the subsections as well.
Will try to clarify, this will take more time. Should the two
smaller changes above be pushed as -15, while section 4 is polished?
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
