Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

2018-04-13 Thread Richard Barnes
On Fri, Apr 13, 2018 at 4:30 PM, Nico Williams wrote: > On Thu, Apr 12, 2018 at 04:10:27PM -0700, Eric Rescorla wrote: > > On Thu, Apr 12, 2018 at 4:06 PM, Viktor Dukhovni > > > wrote: > > > Proposed text: > > > > > >When the server has

Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

2018-04-13 Thread Nico Williams
On Thu, Apr 12, 2018 at 04:10:27PM -0700, Eric Rescorla wrote: > On Thu, Apr 12, 2018 at 4:06 PM, Viktor Dukhovni > wrote: > > Proposed text: > > > >When the server has DNSSEC-signed TLSA records, the first RRset in > >the chain MUST contain the TLSA record set

Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

2018-04-13 Thread Nico Williams
On Thu, Apr 12, 2018 at 09:51:12PM -0700, Eric Rescorla wrote: > On Thu, Apr 12, 2018 at 9:40 PM, Viktor Dukhovni > wrote: > > > On Apr 13, 2018, at 12:07 AM, Melinda Shore < > > melinda.sh...@nomountain.net> wrote: > > > > > > I'm okay with putting denial-of-existence in

Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

2018-04-13 Thread Jim Fenton
I haven't been following this WG closely but read the draft and discussion to see what this was all about, so here's an opinion from a somewhat external reviewer, not in the room in London: On 4/4/18 10:50 AM, Joseph Salowey wrote: > Hi Folks, > > Some objections were raised late during the

Re: [TLS] Fwd: New Version Notification for draft-barnes-tls-pake-00.txt

2018-04-13 Thread Richard Barnes
Hey Tony, Thanks for the comments. Hopefully we can adapt this document to tick more boxes for you :) Since I had noticed some other errors in the document (e.g., figures not rendering properly), I went ahead and submitted a new version that takes these comments into account.

Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

2018-04-13 Thread Nico Williams
On Thu, Apr 12, 2018 at 04:40:25AM -0400, Paul Wouters wrote: > On Wed, 11 Apr 2018, Benjamin Kaduk wrote: > > >I don't really agree with that characterization. To state my understanding, > >as responsible AD, of the status of this document: this document is in the > >RFC Editor's queue being

Re: [TLS] Middlebox Security Protocol initial drafts

2018-04-13 Thread Eric Rescorla
n Fri, Apr 13, 2018 at 9:19 AM, Tony Rutkowski < trutkowski.netma...@gmail.com> wrote: > Good observation. When the work started, 1.3 was a work in progress and > the rapporteurs wanted to move forward with an initial test of concept > based on considerable published work out there. In addition,

Re: [TLS] Middlebox Security Protocol initial drafts

2018-04-13 Thread Eric Rescorla
Hi Tony, Thanks for forwarding these. I haven't had time to give them a thorough review, but on a quick skim I notice that this seems to be based on TLS 1.2 and to use a bunch of algorithms we are trying to deprecate (e.g., CBC). Is there a reason not to start with TLS 1.3 and more modern