> On 15 Mar 2016, at 14:23, Stephane Bortzmeyer <[email protected]> wrote:
>
>> Do (or should) the profiles have anything to say about clear-text
>> fallback if a client cannot connect to the server's DNS-over-TLS
>> port, or the TLS handshake fails? I infer that such fallback should
>> not occur with the pinned profile, but what about the opportunistic
>> profile?
>
> I don't want to reopen discussions on
> draft-ietf-dprive-dns-over-tls-07 but may be we can improve it for
> draft-ietf-dprive-dtls-and-tls-profiles-00: its definition in section
> 5 does not address this issue. May be have two opportunistic
> profiles, one with fallback to clear text if necessary and another
> without?
Hi Stephane/Ben,
Note that the discussion in draft-ietf-dprive-dtls-and-tls-profiles-00 section
4.2 quotes RFC7435 directly which states that Opportunistic Security is
described as
“... the use of cleartext as the baseline communication
security policy, with encryption and authentication negotiated
and applied to the communication when available.”
So at the moment that draft describes 2 profiles, a Strict one which requires
authentication (or failure), or an Opportunistic one as described above. The
use case for an ‘in-between’ profile that requires encryption but not
authentication is debatable since it only provides limited protection from
attacks.
Sara. _______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
