On Wed, Jan 6, 2021 at 1:30 PM Paul Hoffman <paul.hoff...@icann.org> wrote:
> On Jan 6, 2021, at 1:19 PM, Paul Wouters <p...@nohats.ca> wrote: > > Remember also that TLS ciphers are negotiated. > > A better analogy might be "although TLS key exchange and encryption > ciphers are negotiated, the signing algorithm on the server's certificate > is not negotiated". DNSSEC signing is much more akin to the latter, I think. > > > There is no negotiation > > in DNSSEC. > > Quite right, just as there is no negotiation for the authentication in TLS. > This is not strictly correct: TLS allows both the client and the server to advertise their supported signature algorithms, which can be used by the peer to guide certificate selection. -Ekr
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
