-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 08.11.2015 17:45, James Cloos wrote: > When TLSA records are used, the SRV destination should be the only nam e > checked for in the certs. Is that so? At least with DANE-EE, no checks on the host name need to be done anymore. (It is used to lookup the TLSA records though, which could be what you meant to say.) > It would be best for xmpp to target that model for all TLS usage. It is > much easier than the pre-tlsa options are. In principle, I agree. However, DANE support, especially in clients, is not yet widespread enough to rely on that. The barriers to implement DANE are also much higher than those of implementing the ProtoXEP under discussion would be, at least until DANE support lands in the popular TLS stacks. Also, DNSSEC is still not deployed in all top level domains, I think the (for XMPP) very relevant .im for example is still lacking it. If we could rely on DANE everywhere, SNI would not be needed at all anymore; a service could just present a single certificate for all XMPP domains and publish the corresponding TLSAs in the zone. regards, Jonas -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJWP3+nAAoJEMBiAyWXYliKd04QAJHqgQEpwdsuPgWzoZamdkvZ qxHAN6JO2nRl5ew3TNuVMfiKZA3dwH+wTvvzJvBBnf1KOi6Oznl+FBTef5Islkbf MnqB5qw2cI8jEja5WVpav70D7QeN4bzl458n6wWeFuf9OsxjAVHt53uU8xpPkKer vqs7iH5SOLSB4agGVdjeW3Wxliq2QVYIK4JuDNJnFgvCvoBVFfWUJjTeKkygRFAU Q9fcl/xxb6xW4M9w1zWbyo6aIZjxWxQCFwj3OhUqkMpBIQYNm+SpE+kPsAdCRWsd A3TDb2ZvzUmVqSBBmGhh7uvkfgX9RPGsXqEHxIFwVWjvW36Pctln6WbzvacQ1joT nbQoOLAM5QLR/2aD0MXgPbRSQ1f9Us8KgNY2NYCdGo+2PhsDTRVcNaAd+/6hbv7I qQmLWz5ut5JdYPw2+VXjBL+BIOcd7wf/r3jvkiV6XMwRsiZ86FITx61TUVzbHZzO 7qE5gc7959/e2kJNHQxwVgcrlkW06ySJiQ2QidVTpqNe0rJu3pqcTb3eQQjEvYJf MNVY29G3zHpzPSdiFqLPGxMcL3W/XzER9ARrVcAFwHP/tS34i7g2qb2qPD+V6Wxs WtPVC5wrWsrUQUEDVIJUg2f3rER8wK275Wl5u5FzeaBMVnp44rSqylY3QRQJgOGu 2JQf0r6NDOOZlWSy+D9J =ej6H -----END PGP SIGNATURE-----
