James:
Would not SECSH clients in particular be able to benefit from this
record type for raw public keys, if supported on an Intranet DNS?
Tom Gindin
P.S. The above suggestion is mine, and not that of my employer.
From: James Cloos <[email protected]>
To: John Gilmore <[email protected]>
Cc: [email protected]
Date: 06/24/2014 07:31 PM
Subject: Re: [dane] Compressed Call for Adoption:
draft-gilmore-dane-rawkeys-00
Sent by: "dane" <[email protected]>
>>>>> "JG" == John Gilmore <[email protected]> writes:
JG> In amending the TLSA RFC for raw public keys, we could remove those
JG> deliberate restrictions, and then write new deliberate restrictions.
JG> Paul Hoffman's comment above seems to be advocating for that position.
JG> Instead, I am advocating for not adding restrictions that have no
JG> technical or interoperability rationale.
On that topic, not only do I agree that language which tries to restrict
TLSA records to TLS is undesirable, I cannot discern *any* value in such
restrictions.
The software for any protocol which uses x.509 certs or which can handle
spki-formated transmission of public keys should feel to use tlsa records
to authenticate said certs or spkis. Even if it is a protocol which does
not listen(2) on a fixed port and therefore would need to search for tlsa
records differently than 6698 describes.
If an alternate use of a given dns rr would lead to some sort of conflict
which would break other uses, there would be valid cause to advocate
against such breakage. But I do not see how using tlsa records for non-
tls protocols would do that.
-JimC
--
James Cloos <[email protected]> OpenPGP: 0x997A9F17ED7DAEA6
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
