On Mon, Mar 17, 2014 at 11:14:32AM -0700, Paul Hoffman wrote:
> > There is no text in 6698 that even approximately suggests that clients
> > get to use only the records with the strongest (local criteria) digest.
>
> In Section 4.1:
> o A TLSA RRSet whose DNSSEC validation state is secure MUST be used
> as a certificate association for TLS unless a local policy would
> prohibit the use of the specific certificate association in the
> secure TLSA RRSet.
This is not "use strongest". This is the opposite. It forces the
use of tarnished, but still acceptable digests even when untarnished
digests are present. The new proposal is to ignore all but the
strongest, even when the remainder would be usable.
Also the pseudo-code in the appendices loops over *all* "usable" TLSA
RRs (those not banned by 4.1). My proposal modifies the pseudo-code
to loop over only those records (for each usage/selector) with the
strongest digest plus any records with matching type 0.
The key difference is the lifecycle of a tarnished digest. With
6698, it is trusted until the moment it is dropped. With the new
proposal it gradually fades out. I think the fading out part is
an important feature. It makes it possible to be secure with
servers that publish strong RRs even while accepting weak digests
from servers that don't.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
