On Tue, Jun 19, 2018 at 03:51:55PM -0700, Eric Rescorla wrote: > On Tue, Jun 19, 2018 at 3:46 PM, Nico Williams <n...@cryptonector.com> wrote: > > On Tue, Jun 19, 2018 at 12:26:10PM -0700, Eric Rescorla wrote: > > > On Tue, Jun 19, 2018 at 11:34 AM, Nico Williams <n...@cryptonector.com> > > > wrote: > > > > The I-D should say that clients MUST allow local configuration of what > > > > domains to accept trust anchors for, and SHOULD allow local policy to > > > > list . as a domain for which to accept trust anchors. > > > > > > The ID can say that, but as a practical matter, any enterprise that has > > > a reasonable number of internal domains is just going to tell people > > > to configure their client to accept any domain name. > > > > And what's the problem with that? > > > > If it's your own device you might balk, so get your employer to provide > > you with theirs. Or just accept it as part of the employment deal. > > Again, right now I'm just trying to establish the facts of the matter. > Do you agree this is going to be a common scenario?
I don't know what the antecedent of "this" in your question. If you mean that BYODs will have to accept policies users don't want, well, that's pretty much true anyways (e.g., you have to accept proxy configurations that can and _will_ MITM you). For public VPNs (that the user pays for) the user will want the client to accept TAs for no domain. For private VPNs the user will generally not really have a choice. I don't think there's a question of what is a common scenario, but of what the I-D should say. It should say that with these TAs the SG can MITM DNSSEC and DNSSEC-based security technologies like DANE, and it should say that clients MUST be able to configure a list of domains for which they'll accept TAs. And that should be sufficient to handle your concern. Are you objecting to the I-D altogether -- objecting to the feature it adds -- or asking what the I-D should say about your concern? Objecting to enterprise features would be fair, though I don't think the IETF rejects enterprise features, nor should it. Nico -- _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec