On Wed, Jul 15, 2020, at 08:53, Ben Schwartz wrote: > For ease of deployment, I wonder whether the concept of a "scope" needs > to be pinned down a bit more precisely. In 00 here, the scope is > entirely implicit; servers are required to know how users might have > found them, and what other servers they also might have found at the > same time.
I don't think that it is that bad. It is more that server operators need to understand that the ways in which they advertise the availability of their service interacts with what is deployed. That is, you need to configure discovery methods and your TLS stacks with the same information (though your TLS configuration can be more conservative in terms of advertising a subset of what can be discovered, so that deployments can be staged). Right now, that means that if you use SVCB, you should configure your TLS stack to authenticate that. This might eventually include QUIC versions as well - once that is sorted out - but that won't require the same sort of coordination. The problem with more detailed indications is that it requires far more configuration. The TLS stack doesn't just need to know that FOO is available, it needs to know where. As that is usually the business of the DNS provisioning more than the TLS configuration, I'm concerned that you would get out of sync too easily. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
