Sent from my iPhone
On Nov 6, 2013, at 5:35 AM, "James Cloos" <[email protected]> wrote: >>>>>> "CN" == Chris Newman <[email protected]> writes: > > CN> *2* I believe it's undesirable to attempt to deploy DANE TLSA for > CN> submission services (port 587 or de-facto port 465) > > TLSA SHOULD be checked for *all* TLS connections by clients. We should > not have any RFCs which try to exempt certain ports, nor recommend > avoiding DANE for certain ports or services. > > We want the TLS libraries to implement it (as gnutls has done) and for > applications to take advantage of DANE whenever they initiate TLS sockets. > > The only real question is what to do when provided just an ip address. > Should the TLSA be checked in arpa., or should it look under the name > returned by a PTR lookup? > I think, even if no TLSA records are found via those ways, that IF a cert is presented, a corresponding TLSA query should be made. That way, even if a random IP wants to pretend to be FOO, that FOO has the implicit opportunity to assert that the IP is not presenting the real cert for FOO. Brian > -JimC > -- > James Cloos <[email protected]> OpenPGP: 1024D/ED7DAEA6 > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
