On Mon, Jan 26, 2026 at 11:55 AM Muhammad Usama Sardar < [email protected]> wrote:
> Maybe I am missing some discussions that happened outside of TLS. So > apologies if this is the case. > On 26.01.26 19:36, Eric Rescorla wrote: > > Regardless, the argument cannot be "use the webpki because it offers >> better privacy features" because for >> players in this space, non-webpki authentication and authorization is >> more important than a privacy feature >> that defends only against passive attacks. >> > > I think you are perhaps misunderstanding my comment, because I'm > not talking about the WebPKI at all in this discussion. I'm instead saying > that the client should send the DNSSEC chain in a TLS extension > rather than having the server query for it, thus avoiding revealing > its identity on the wire. This is entirely isomorphic to the current > identity structure. > > Do I understand correctly that you are proposing the DNSSEC chain to be > put as an extension of client's Certificate message of TLS 1.3? > Yes. -Ekr
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
