Toerless Eckert <[email protected]> wrote: >> The other bit is that Registrars MUST IGNORE SNI when accepting Pledge >> connections. Pledges ought to not send it, since they don't really know >> what to put.
> Are there never methods by which pledges or proxies discover registrar
> DNS names ? Isn't that at least commonly expected for BRSKI cloud ?
BRSKI-cloud pledges are code to connect to their cloud register by some
method. A DNS name + DNS-lookup + RFC6125 DNS-ID validation (with SNI)
against WebPKI, sounds reasonable.
But, it could also be via TLS-PSK authentication to a hard coded IP address.
(That would be stupid, and maybe even seriously insecure, but you could do it)
But, the BRSKI-cloud connection is not the prospective TLS connection that
section 5.1 defines.
> If this was a problem, it should be a problem already with a lot more
> TLS use-cases ?!
> Aka: I'd opt for not having to require an additional MUST IGNORE SNI..
What does a Registrar called "frank.example" do when it receives a BRSL-EST TLS
connection for "jones.example"? Fail it? That's silly.
For all we know, the pledge did a mDNS discovery to find a join proxy and
that's why it's using the wrong name.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
