On Mon, Nov 28, 2022 at 06:23:36PM -0800, Eric Rescorla wrote: > Thanks for the elaboration, Viktor. > > I think the TL;DR here is that this isn't TLS-relevant work at present. > Either you get the certs directly or you get them via RFC 9102 but in > either case, TLS has the appropriate support. > > If you don't need CT--I'm not entirely persuaded by Viktor's argument but I > agree that the need is probably less than with WebPKI--then it seems like > the technical work is done. If you do need CT, then probably your next stop > is secdispatch, what with trans being closed.
Agreed, with the already mentioned clarification that the "CT" in question would be DNSSEC-Transparency not X.509 CT, except when the DANE usages are PKIX-{TA,EE} where the usual WebPKI rules also apply. The "DNSSEC-Transparency" would log eTLD delegation security and any delegations above that (root to TLD, TLD to 2LD eTLD public suffix, ...). The viability or a such a system has not been established, nor is there even a sufficiently detailed potential design for evaluation. It is not clear between wider DNSSEC adoption and availability of a CT analogue which is the cart and which is the horse. I don't think that lack such an analogue is presently a real obstacle to wider deployment of DNSSEC. If I'm mistaken, perhaps this is something that could be explored sooner. -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls