On Wed, Jan 6, 2021 at 1:30 PM Paul Hoffman <[email protected]> wrote:
> On Jan 6, 2021, at 1:19 PM, Paul Wouters <[email protected]> wrote: > > Remember also that TLS ciphers are negotiated. > > A better analogy might be "although TLS key exchange and encryption > ciphers are negotiated, the signing algorithm on the server's certificate > is not negotiated". DNSSEC signing is much more akin to the latter, I think. > > > There is no negotiation > > in DNSSEC. > > Quite right, just as there is no negotiation for the authentication in TLS. > This is not strictly correct: TLS allows both the client and the server to advertise their supported signature algorithms, which can be used by the peer to guide certificate selection. -Ekr
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
