On Wed, Dec 14, 2016 at 12:18:17PM +0100,
Shane Kerr wrote
a message of 87 lines which said:
> So basically you are advocating a model where meta-data
> (specifically lookups of NS records and their associated A/
> records) is public and other data is private?
t;sh...@time-travellers.org>
> Cc: dns-privacy@ietf.org
> Subject: Re: [dns-privacy] [Step 2] More discussion needed: state your opinion
>
>
> (With no hats...)
>
> On 13/12/16 19:44, Christian Huitema wrote:
> > On Tuesday, December 13, 2016 11:16 AM, Paul Hoffma
Paul,
At 2016-12-14 07:24:44 -0800
"Paul Hoffman" wrote:
>
> 2) Which authentication(s) to use?
> >>>
> >>> I really like the CGA approach, but realistically I don't think that
> >>> would be accepted. If we think that it would be, then I'm all for
> >>> it.
>
On Wed, 14 Dec 2016 12:40:25 +0100, Shane Kerr wrote:
>John,
>
>At 2016-12-13 10:01:51 -0800
>John Heidemann wrote:
>
>> >IIRC the idea of using IPsec was also discussed somewhere. IIRC, IPsec
>> >may have problems traversing NAT. It is also usually implemented by the
>> >kernel,
On 14 Dec 2016, at 3:34, Shane Kerr wrote:
IPsec seems desirable because somehow it seems better to be able to
layer on top of security at the lowest level possible? Layer 3 instead
of layer 4?
Although I guess the only extra information we would be exposing with
TLS or DTLS would be the port
On Wed, Dec 14, 2016 at 12:37:39PM +0100,
Shane Kerr wrote
a message of 65 lines which said:
> If only there was a way to publish information about a server's
> preferences
There is one: DANE (at least to express that you support - or not -
TLS and DTLS).
For
John,
At 2016-12-13 10:01:51 -0800
John Heidemann wrote:
> >IIRC the idea of using IPsec was also discussed somewhere. IIRC, IPsec
> >may have problems traversing NAT. It is also usually implemented by the
> >kernel, which may cause deployment issues. I *want* IPsec to be an
>
Stephane,
At 2016-12-14 10:46:16 +0100
Stephane Bortzmeyer wrote:
> On Wed, Dec 14, 2016 at 10:21:13AM +0100,
> Shane Kerr wrote
> a message of 90 lines which said:
>
> > > Given that a fallback to TCP/TLS is likely needed even if the
> > >
Stephane,
At 2016-12-13 16:41:33 +0100
Stephane Bortzmeyer wrote:
> On Tue, Dec 13, 2016 at 03:46:25PM +0100,
> Shane Kerr wrote
> a message of 120 lines which said:
>
> > I think that TLS may be more painful in the resolver-to-auth case,
> >
On Tue, Dec 13, 2016 at 11:16:08AM -0800,
Paul Hoffman wrote
a message of 60 lines which said:
> If what we invent has better characteristics than DTLS or TLS, that
> means that the TLS WG failed to find something that we could. That
> seems *incredibly* unlikely, given
On Wed, Dec 14, 2016 at 10:21:13AM +0100,
Shane Kerr wrote
a message of 90 lines which said:
> > Given that a fallback to TCP/TLS is likely needed even if the
> > right answer is QUIC, and given that however the WG decide to
> > address server authentication and
(With no hats...)
On 13/12/16 19:44, Christian Huitema wrote:
> On Tuesday, December 13, 2016 11:16 AM, Paul Hoffman wrote:
>>
>> If what we invent has better characteristics than DTLS or TLS, that
>> means that the TLS WG failed to find something that we could. That seems
>> *incredibly*
On Tue, Dec 13, 2016 at 11:16:08AM -0800, Paul Hoffman wrote:
>
> On 13 Dec 2016, at 6:46, Shane Kerr wrote:
>
> >IIRC the idea of using IPsec was also discussed somewhere. IIRC, IPsec
> >may have problems traversing NAT. It is also usually implemented by the
> >kernel, which may cause
On Tuesday, December 13, 2016 11:16 AM, Paul Hoffman wrote:
>
> If what we invent has better characteristics than DTLS or TLS, that
> means that the TLS WG failed to find something that we could. That seems
> *incredibly* unlikely, given the people active in the two WGs.
Actually, QUIC might
On Tue, 13 Dec 2016, Paul Hoffman wrote:
IPsec will always have worse characteristics for DOS than DTLS, and probably
worse than TLS.
[citation needed]
Paul
___
dns-privacy mailing list
dns-privacy@ietf.org
On 13 Dec 2016, at 6:46, Shane Kerr wrote:
IIRC the idea of using IPsec was also discussed somewhere. IIRC, IPsec
may have problems traversing NAT. It is also usually implemented by
the
kernel, which may cause deployment issues. I *want* IPsec to be an
option here, but realistically I don't
On Tue, 13 Dec 2016 15:46:25 +0100, Shane Kerr wrote:
>Stephane,
>
>At 2016-12-13 11:59:36 +0100
>Stephane Bortzmeyer wrote:
>
>> In the minutes of the Seoul meeting, we see:
>>
>> Strong hum for sticking around to work on this.
>> Terry (as AD): more mailing list discussion,
On Tue, 13 Dec 2016, Stephane Bortzmeyer wrote:
IIRC the idea of using IPsec was also discussed somewhere. IIRC,
IPsec may have problems traversing NAT. It is also usually
implemented by the kernel, which may cause deployment issues. I
*want* IPsec to be an option here, but realistically I
On Tue, Dec 13, 2016 at 03:46:25PM +0100,
Shane Kerr wrote
a message of 120 lines which said:
> I think that TLS may be more painful in the resolver-to-auth case,
> as TCP Fast Open will be generally less useful, right?
Same thing (even worse) for persistent TCP
Stephane,
At 2016-12-13 11:59:36 +0100
Stephane Bortzmeyer wrote:
> In the minutes of the Seoul meeting, we see:
>
> Strong hum for sticking around to work on this.
> Terry (as AD): more mailing list discussion, please
>
> So, this email is to request this
> discussion.
20 matches
Mail list logo