On Thu, 6 Oct 2016, Marcos Sanz wrote:
I just got through the dane-smime document and have one ammendment to make
to section 7, specifically "applications SHOULD use TCP - not UDP".
My impression is that that specific recommendation (and its rationale in
the next paragraph) was mimicked from the OPENPGPKEY spec, where it makes
sense because the whole armored key gets into the DNS. But since SMIMEA is
very much like TLSA, I don't see the need for that TCP preference (nor
does 7671 - check section 10.1.1).
If you do not have the s/mime cert and you pull it from the DNS, it is
still a pretty big blob that would not be nice to get spoofed to the
wrong IP address. So I do think the same security consideration applies.
For 7671, which really mostly talks about DANE use with TLS, getting
the whole certificate from DNS is less likely, because the TLS handshake
already provides you with the certificate.
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
