On Dec 5, 2018, at 6:25 AM, Paul Wouters <[email protected]> wrote: > > On Fri, 30 Nov 2018, Paul Hoffman wrote: > >>> I am not sure I see a need for a different TLS/DTLS profile compared to >>> regular (web) based (D)TLS connections. What do you or Karl think would >>> be different? >> >> (D)TLS is not the only option. Using message security instead of connection >> security would eliminate the need for keeping TCP and crypto state on the >> server, and could maybe reduce the amount of CPU usage as well. > > Is there a draft that describes this message security? Or is that part > of the work to be started?
The latter. > It seems that before dprive publishes a (D)TLS profile, that this path > should be considered first? Maybe, or maybe they can be done in parallel. There are already plenty of message security standards to start from (COSE, CMS, OpenPGP), and "encrypt a simple DNS message body" is trivial. What is less trivial is weighing the costs and benefits to resolvers and authoritative servers, which is the work that is going to start happening soon. --Paul Hoffman
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
