On Mon, Nov 28, 2022 at 06:23:36PM -0800, Eric Rescorla wrote:
> Thanks for the elaboration, Viktor.
>
> I think the TL;DR here is that this isn't TLS-relevant work at present.
> Either you get the certs directly or you get them via RFC 9102 but in
> either case, TLS has the appropriate support.
>
> If you don't need CT--I'm not entirely persuaded by Viktor's argument but I
> agree that the need is probably less than with WebPKI--then it seems like
> the technical work is done. If you do need CT, then probably your next stop
> is secdispatch, what with trans being closed.
Agreed, with the already mentioned clarification that the "CT" in
question would be DNSSEC-Transparency not X.509 CT, except when the DANE
usages are PKIX-{TA,EE} where the usual WebPKI rules also apply.
The "DNSSEC-Transparency" would log eTLD delegation security and any
delegations above that (root to TLD, TLD to 2LD eTLD public suffix,
...). The viability or a such a system has not been established, nor is
there even a sufficiently detailed potential design for evaluation.
It is not clear between wider DNSSEC adoption and availability of a CT
analogue which is the cart and which is the horse. I don't think that
lack such an analogue is presently a real obstacle to wider deployment
of DNSSEC. If I'm mistaken, perhaps this is something that could be
explored sooner.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
