Greetings. The draft can't make up its mind about SPKI pinning. In
Section 3, it says that SPKI-pinset-based authentication "is out of
scope", but then immediately admits that "Section 10 does describe how
to combine that approach with the domain name based mechanism described
here". However, the draft also talks about SPKI pinning in 4.2, 4.3.2,
5, 6, and then 10. Those sections suggest (sometimes indirectly) that
you might want to check both DNS name and SPKI, but Section 10 then
disavows specification of what to do if only one of the two identifier
types match.
This is a mess. Either the draft has to give consistent, followable
guidance or defer to a different document. The latter seems much more
likely to get consensus than the former.
Proposal:
In Section 3 about what is out of scope:
o SPKI-pinset-based authentication. This is defined in [RFC7858], and
that document gives an example of a profile that uses them. The use of
SPKI-pinset-based authentication is not discussed in this document, but
might be addressed in a future document.
Then remove any mention of SPKI from the rest of the document (including
the definition in Section 2). Also remove the bullet about raw public
keys in Section 11, which seems completely out-of-place in a document
about DNS name matching.
--Paul Hoffman
_______________________________________________
dns-privacy mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dns-privacy
