Hello, Can you please provide updated text that addresses EKR's discuss while this additional discussion continues? I'd like to see if it's possible to get this wrapped up before the plenary in London. Eliminating discuss points and resolving this additional issue are required for that. If this does not get wrapped up before then, it is likely the draft will have to go on another IESG telechat with Ben as AD, which is fine if that's needed, but better to avoid.
Thank you, Kathleen On Mon, Mar 12, 2018 at 2:29 PM, Paul Wouters <p...@nohats.ca> wrote: > On Mon, 5 Mar 2018, Willem Toorop wrote: > >> No Paul, the division in sections is irrelevant for a verifier. The >> only bit of information in a DNS message that is used by a verifier is >> the question. From the question, validation starts and the relevant >> records are followed and verified. But the question section is also not >> needed as the question can be derived from the name and port of the >> service, i.e. <port>._tcp.<name>. TLSA >> >> The order described in the draft is both an optimization to reduce the >> number of times a verifier has to go over the RRs, and it makes the >> content easier to read (and understand) for humans too. >> >> Also, for non existence answers, DNSSEC validators (and thus also a >> verifier for the chain extension) simply ignore the DNS message header. >> Proof of non-existence can and must be derived from the set of RRs in >> the message body/sections too. > > > Willem (and Shumon and Viktor) have convinced me the DNS Header and > Sections are not needed. > >> The extension already supports Denial of Existence proof b.t.w., because >> it is also needed for wildcard expansions (which are supported). > > > The issue here is the requirement of the TLS server to send these > records in the absence of any TLS record. This allows the clients to > detect a rogue webserver cert that is valid in webPKI but not valid > based on DANE. Without this commitment, the TLS extension does not > really work, as it can be omitted by an attacker. > > Paul > -- Best regards, Kathleen _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
