On Thu, Apr 05, 2018 at 02:46:12AM -0400, Viktor Dukhovni wrote: > So I rather suspect that even the DPRIV use-case, which supposedly does not > need > the proposed changes, actually does need them for meaningful security from > using > DANE, and we've not just not looked at the details closely enough yet. It may > well turn out not substantially different from the browser use-case that is > not > adequately met by the current draft. > > Can someone explain briefly how DPRIV avoids the same downgrade issues, and > negative adoption incentives (cost-benfit comparison)? If it turns out that > no adequate explanation is possible, and indeed the same issues are present, > then the proposed changes (which are still needed elsewhere) are all the > more pressing.
Oh, right, DPRIV isn't a work-in-progress. It's already here. Thus it cannot be an application that makes draft-ietf-tls-dnssec-chain-extension mandatory. Therefore it's subject to the downgrade attack we want to address with (C). I think now the WG should really want this LC to succeed and get this change made. Nico -- _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls