Hiya,
On 15/02/2021 22:49, Eric Rescorla wrote:
On Mon, Feb 15, 2021 at 2:37 PM Stephen Farrell <[email protected]> wrote:Hiya, On 15/02/2021 22:31, Eric Rescorla wrote:This doesn't sound like a very good idea to me. IMO we should onlyspecifya protocol that authenticates the server.Fair enough that that's your preference. How's that gonna work and be deployable though?The reason we have WGs is to work out such matters in detail, no? And in particular, I think the WG should try to figure out the problem space before designing. However, it seems like there's a relatively obvious strawman proposal here: - We invent some mechanism that allows you to specify in an NS record that the server takes TLS (as a hacky example, "servers have to be named <some-sentinel>.example.com").
Wasn't exactly that proposed but shot down already (for DNS, not crypto, reasons)? Maybe I'm recalling wrong. I did kinda like it mind - the hackiness appeals a bit to me:-) S.
- Servers are authenticated via the WebPKI, with the name as listed above. I'm sure there are plenty of things that people won't like about this (e.g., I imagine that some people would like to use DNSSEC), and the signal I just invented is gross. Maybe in the process of deciding what people don't like about this, we can understand the problem space better. -Ekr _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
OpenPGP_0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
