On Wed, 20 Jun 2018, Eric Rescorla wrote:
I thought I had made clear what was bothering me, so I suppose we must be talking past each other. I read this text as saying that there are important cases where in fact the client will not have any reasonable way of knowing which domains to accept from the server, which, it seems to me, contradicts the claim above that it's practical. You obviously think i'm wrong, so how should I be reading this text?
I understand what bothers you. You see browsers getting non-public TLSA answers and you are concerned about webpki bypass and enterprise meddling. I see text restricting and notifying users of the domain names that will be part of the IKE configuration or negotiation allowing them to reject inappropriate domains. You fear the user will just click yes. Then you somehow would like to know how common this new behaviour would be and how reasonable it is for a client to understand what is happening. I cannot answer how common this would be other than stating in the past this wasn't possible at all. And that client understanding could be presented cleanly and I gave an example. To me, the only question is how to change the text so this is all clear to you, but you say you are still gathering facts and you are not ready yet to evaluate any proposed changes. Maybe some other people can chime into this discussion and/or provide text to clarify things to you better than I am able to. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
