On Mon, Feb 15, 2021 at 2:57 PM Stephen Farrell <[email protected]> wrote:
> > Hiya, > > On 15/02/2021 22:49, Eric Rescorla wrote: > > On Mon, Feb 15, 2021 at 2:37 PM Stephen Farrell < > [email protected]> > > wrote: > > > >> > >> Hiya, > >> > >> On 15/02/2021 22:31, Eric Rescorla wrote: > >>> This doesn't sound like a very good idea to me. IMO we should only > >> specify > >>> a protocol that authenticates the server. > >> > >> Fair enough that that's your preference. How's that gonna > >> work and be deployable though? > >> > > > > The reason we have WGs is to work out such matters in detail, no? And in > > particular, I think the WG should try to figure out the problem space > > before designing. > > > > However, it seems like there's a relatively obvious strawman proposal > here: > > > > - We invent some mechanism that allows you to specify in an NS record > that > > the server takes TLS (as a hacky example, "servers have to be named > > <some-sentinel>.example.com"). > > Wasn't exactly that proposed but shot down already (for > DNS, not crypto, reasons)? Maybe I'm recalling wrong. I did > kinda like it mind - the hackiness appeals a bit to me:-) > I don't recall. My sense was that people didn't like it being WebPKI rather than DNSSEC, but maybe there's some more fatal reason? If so, I'd certainly appreciate a link to that shooting down. -Ekr
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
