On Fri, Aug 1, 2014 at 4:46 PM, Martin Thomson <[email protected]> wrote: > On 1 August 2014 14:41, Nico Williams <[email protected]> wrote: >> Well, with DANE in mind... if the RST sender is the server, it could >> sign it. > > At the point that you are authenticating the connection, I think that > many of our assumptions change.
Are we explicitly precluding DANE? Why? It's one thing to opportunistically exchange keys (with a key agreement protocol) and use them to get confidentiality and integrity protection. It's another thing altogether to say that we can't upgrade this protocol to something stronger when that is available. (Note: I'm not proposing that kernel-land TCPs speak DNSSEC.) Nico -- _______________________________________________ Tcpinc mailing list [email protected] https://www.ietf.org/mailman/listinfo/tcpinc
