[ Not replying for Paul, I'm sure he he'll post views separately ] > On Mar 3, 2018, at 10:21 PM, Eric Rescorla <e...@rtfm.com> wrote: > > Paul, can you walk me through the security value of a proof of nonexistence > here? Perhaps describe an attack that it stops.
My take is: Non-existence proofs can clear a pinned DANE policy, where a client would other require ongoing delivery TLSA records (after initially seeing them from the server). The data would not be pinned, that's what the DNSSEC signed TLSA records are for. The attack in question is downgrade to just PKIX (with fraudulently obtained certificates). Such a downgrade makes PKIX-TA(0) and PKIX-EE(1) ineffective, and downgrades DANE TlSA to DV certs which are strictly weaker. Therefore, if the extension were to include an extended pin-TTL, then denial of existence becomes useful, and indeed the pinning is primarily a means to make it downgrade-resistant. -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls