> * The present text (Section 8) says:
>
> Green field applications that are designed to always employ this
> extension, could of course unconditionally mandate its use.
>
> Therefore such "green field" applications (presumably some of the ones
> ready to implement now) effectively mandate DNSSEC and TLSA records
> at the server, NOT JUST support for the extension.
Viktor, I believe you have confused a "could" with a "mandate".
The text of this RFC does not require future green field applications
to mandate the use of this exension. It merely allows them to do so.
None need ever do so. If any ever did, the future RFC could specify
how servers which do not have validated TLSA records should handle the
situation. Different future protocols might choose different ways
to handle this (e.g. don't send the extension at all; or send a validated
denial; or send some kind of flag saying that the server doesn't even have
a validated denial because it isn't using DNS or because some domain on
its path to the DNS root isn't doing DNSSEC or isn't using NSECx records).
Please, let this RFC go, rather than requiring that this committee
first insert into it a paper spec for what some future protocol should
do, without even knowing what the future protocol is.
John
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
