On Thu, Feb 8, 2018 at 11:35 AM, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > > > Summary as I see it: > > * Mandatory DANE: > MUST Refuse absence of TLSA RRs or failure > of PKIX-TA(0) and PKIX-EE(1). Must fail when no TLSA RRs > are cache and the server does not present the extension. > > * "Opportunistic DANE": MAY refuse failed PKIX-TA(0) and PKIX(1) > if caching replies, and SHOULD attempt to refresh cache before > expiration to reduce opportunity for downgrades. Non-caching > clients don't really gain security by refusing valid PKIX on > DANE failure, and MAY choose to continue. >
This seems reasonable to me too. Shumon
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls