[Standards] Unsigned DANE records for TLS assertions
dave at cridland.net
Wed Dec 4 09:27:33 UTC 2013
On Wed, Dec 4, 2013 at 9:17 AM, Peter Saint-Andre <stpeter at stpeter.im>wrote:
> On 12/4/13 2:13 AM, Dave Cridland wrote:
> I'm waxing sleepy because it's 2 AM here, but I don't see how we get
> that level of trust with unsigned DNS records...
I assumed from the quantity of mail I was seeing from you that you were
We're currently using unsigned DNS records to authenticate anyway if the
certificate fails to authenticate. So there's no new attack vector by using
unsigned TLSA to prevent that fallback; and perhaps some fearsome TTLs on
such records might mean we end up with a net win.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Standards