On Wed, May 8, 2019, at 07:07, Thomas Peterson wrote: > If a mechanism that facilitates certificate validation is important then > the only two options I believe we have are:
Yes, I believe that certificate validation is important, if not critical. As I said earlier, the process by which a DoT (or DoH) server is contacted is materially different than the network configuration process. > A: Providing a host name only within the option, and expect clients to > use Do53 to resolve it, performing host name validation against the > certificate CommonName or SubjectAltName. > > B: Using IP address(es) only, with either Do53 option or this option > providing the IP addresses, in addition to a non-DNS related identifier > to facilitate certificate validation - perhaps the Serial Number, > Subject Key Identifier or some other field or a derived field of data. > Having an option with both a host name and IP addresses makes no real > sense to me. I want to dig into this. How do you think that hostname + IP is nonsensical? I am given a name and some candidate IP addresses for that name. The security all hangs off the name, but I need the IP addresses to make a connection. In a way it is not fundamentally different than your suggestion to include a serial number or SPKI. The important difference is that TLS stacks know how to deal with names and we have (elaborate) systems for ensuring that a host that claims to control a name really does. A name allows us to use all that infrastructure. _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
