On Mon, Nov 05, 2018 at 09:54:19PM -0500, Paul Wouters wrote:
> On Mon, 5 Nov 2018, Salz, Rich wrote:
>
> >Is it fair to describe the draft as enabling a trust model based on DNSSEC,
> >rather than the default X.509 hierarchy and trust store which is implemented
> >by default?
>
> The draft tries to enable a trust model based on DNSSEC, but due to
> missing pinning, fails to deliver that.
>
> A better way is saying the draft enables a trust model that restricts
> the webpki, addressing the problems of too many unrestricted root CA
> players being accepted by TLS clients these days [provided the draft
> adds a mechanism like pinning to prevent downgrade attacks]
If we don't agree on what the draft is trying to do, it seems rather
difficult to attempt to claim that there is WG consensus to publish it.
This seems to suggest that we may need more precise text in the
document about what it is (and is not) trying to do. The slides Sean
posted for the Wednesday session note that fairly early in the timeline
we thought:
Primarily aimed at making
DANE practical for HTTPS,
where last-mile considerations
on the client end are a
significant part of the adoption
barrier.
Paul, are you proposing that this would only be PKIX-{EE,CA} to the
exclusion of DANE-{EE,CA}? (In terms of "restricts the webpki".)
Thanks,
Ben
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
