[Standards] Unsigned DANE records for TLS assertions

Dave Cridland dave at cridland.net
Wed Dec 4 09:27:33 UTC 2013


On Wed, Dec 4, 2013 at 9:17 AM, Peter Saint-Andre <stpeter at stpeter.im>wrote:

> On 12/4/13 2:13 AM, Dave Cridland wrote:
> I'm waxing sleepy because it's 2 AM here, but I don't see how we get
> that level of trust with unsigned DNS records...
>
>
I assumed from the quantity of mail I was seeing from you that you were
travelling. ;-)

We're currently using unsigned DNS records to authenticate anyway if the
certificate fails to authenticate. So there's no new attack vector by using
unsigned TLSA to prevent that fallback; and perhaps some fearsome TTLs on
such records might mean we end up with a net win.

Maybe.

Dave.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20131204/352d6284/attachment.html>


More information about the Standards mailing list