Basically, the draft (draft-hoffman-server-has-tls) provides a mechanism by
which the server tells the client which is insecure/secure port. An idea
suddenly coming into my mind is why not integrate such mechanism with SRV
[RFC2782]? The format of the SRV RR is like this: _Service._Proto.Name TTL
Class SRV Priority Weight Port Target. Just add one field to indicate the
security property of the port (namely to indicate whether the port is secure or
not) and then most of the work is done. Forgive me if something obvious is
missed!
Guangqing Deng
From: Paul Wouters
Date: 2012-11-20 02:47
To: Paul Hoffman
CC: dnsop
Subject: Re: [DNSOP] Declaring HTTPS mandatory in the DNS
On Mon, 19 Nov 2012, Paul Hoffman wrote:
>>> Perhaps you're thinking of this expired draft: draft-hoffman-server-has-tls?
>>
>> Exactly! Thanks. This I-D is not HTTPS-specific, which may explain why
>> I did not find it.
>
> Y'all forget that think that security is valuable for things other than the
> web. :-)
>
> The draft has expired because there was little interest in it, and it causes
> weird interactions with HSTS from the websec WG.
That will probably lead to people using the TLSA record as a pointer to
"do not connect without TLS". Which I believe people who wanted HASTLS
did not like?
(as HSTS does not protect you from attacks from sites you've never
visited before from a trusted network)
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop