On 8/20/14, Paul Wouters <[email protected]> wrote: > On Wed, 20 Aug 2014, Jacob Appelbaum wrote: > >> Paul - perhaps this suggests that all stub and recursive resolvers >> should log keying information, even if it isn't used for >> validation/authentication/etc? > > That is one "out of band" authentication mechanism called TOFU (trust on > first use) or LOF (Leap of Faith)
I'm suggesting that regardless of authentication, we should ensure that we have some information for a user to report their experience. > > While possible, it will see a lot of false positives, like when going to > a different starbucks using the same wifi ESSID. > There is no false positive - only an actually observed certificate. :) > It could be done if one also logs mac address and/or lat/long info. > > But these are all local policy and local implementations issues. I agree. I suggest that resolvers SHOULD log resolver certificate information. All the best, Jacob _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
