On Mon, 16 Apr 2018, Viktor Dukhovni wrote:
* We might want to say that if the TTL is zero then the clients MUST NOT
pin and must clear any pin. And we might do this in spite of not
describing any pinning semantics -- explicitly leaving pinning
semantics to a future document.
Exactly. I'd like to suggest that this is the most reasonable
common ground, and would urge the WG and authors to get behind
this as a consensus position.
This seems dangerous. If an attacker can re-route and get a rogue
cert, they can set TTL to 0, negating a previously set TTL, without
requiring proof by presenting the denial-of-existence of the TLSA
record. That is also a downgrade attack.
How to go from TTL != 0 to TTL == 0 should be specified carefully,
either in this document or its own document.
The only known save way of going to TTL == 0 is by presenting DoE of
TLSA records (but it does bind using the TLS extension to the existence
of TLSA records)
Paul
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
