On 2017-01-22 18:01, Wes Turner wrote: > > > On Sunday, January 22, 2017, Cory Benfield <c...@lukasa.co.uk > <mailto:c...@lukasa.co.uk>> wrote: > > >> On 22 Jan 2017, at 16:23, Wes Turner <wes.tur...@gmail.com >> <javascript:_e(%7B%7D,'cvml','wes.tur...@gmail.com');>> wrote: >> >> Looking at the GnuTLS manual [1], I see a number of potential >> additional configuration parameters: >> >> - session resumption (bool, expiration time) >> - Trust on first use (SSH-like) >> - DANE [2] > > Remember that the goal of this API is not to support every > configuration option supported by 1 or more concrete > implementations. The goal of this API is to support the common > superset of the most-used APIs as needed for TLS. TOFU at the TLS > level is not in that scope. DANE is not widely supported. > > > - OpenSSL 1.1.0 supports DANE > - GnuTLS supports DANE > - AFAIU, neither SChannel nor Secure Transport yet support DANE > > So, in order to support e.g. DANE, where would the additional > backend-specific configuration occur?
DANE is irrelevant for PKI and suffers from the same issue as OCSP requests. Melinda is working on a IETF standard for DANE stapling. For TLS API 2.0 we can talk about OCSP stapling, EV and CT. For the first iteration, any advanced feature is out of scope. Please remember, all features have to be implemented for at least four wrappers (Python ssl, cryptography for PyPy, SChannel and SecureTransport). Let's not get ahead of ourselves. Christian _______________________________________________ Security-SIG mailing list Security-SIG@python.org https://mail.python.org/mailman/listinfo/security-sig
