On Tue, Nov 26, 2013 at 12:04 PM, Tony Finch <d...@dotat.at> wrote: > Dave Cridland <d...@cridland.net> wrote: > > > > What I'm wondering is whether an initiator could use the presence of a > TLSA > > record to decide not to consider falling back to XEP-0220. In other > words, > > whether a domain could use them to assert that it has a valid > certificate. > > The DANE drafts that I produced (for mail protocols) specified that > clients should expect the server to have a valid certificate and should > not fall back to unauthenticated or unencrypted connections. >
Right, but that would assume the records are signed, correct? I'm vaguely trying to work out, too, the relationship between XEP-0220 (which relies on an unspoofed DNS to operate) and unsigned TLSA records. If, instead of XEP-0220, we used unsigned DANE, would this work just as (in)securely? It's an interesting (to me) point, because going from unsigned TLSA to either of signed TLSA (ie, proper DANE) or a CA-signed authoritative certificate (ie, a proper cert) should be relatively smooth. I suspect we still need to call back in the case of unsigned records and self-signed certificates, because otherwise an attacker could spoof the DNS and wouldn't need to stage a server. If they can stage a server and spoof the DNS, then they can already spoof XEP-0220. I do not know whether it's harder to spoof two co-related unsigned records within the same zone, though. I would note that an unsigned TLSA concept would implicitly mandate TLS - as such, the right comparison is with XEP-0220 over TLS, rather than "vanilla" XEP-0220. Dave.