On Thu, Apr 05, 2018 at 02:46:12AM -0400, Viktor Dukhovni wrote:
> So I rather suspect that even the DPRIV use-case, which supposedly does not 
> need
> the proposed changes, actually does need them for meaningful security from 
> using
> DANE, and we've not just not looked at the details closely enough yet.  It may
> well turn out not substantially different from the browser use-case that is 
> not
> adequately met by the current draft.
> Can someone explain briefly how DPRIV avoids the same downgrade issues, and
> negative adoption incentives (cost-benfit comparison)?  If it turns out that
> no adequate explanation is possible, and indeed the same issues are present,
> then the proposed changes (which are still needed elsewhere) are all the
> more pressing.

Oh, right, DPRIV isn't a work-in-progress.  It's already here.  Thus it
cannot be an application that makes draft-ietf-tls-dnssec-chain-extension
mandatory.  Therefore it's subject to the downgrade attack we want to
address with (C).

I think now the WG should really want this LC to succeed and get this
change made.


TLS mailing list

Reply via email to