IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Martin Rex <mrex@sap.com> Wed, 16 May 2012 07:53 UTC

Return-Path: <mrex@sap.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCE9B21F87D0 for <dane@ietfa.amsl.com>; Wed, 16 May 2012 00:53:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.09
X-Spam-Level:
X-Spam-Status: No, score=-10.09 tagged_above=-999 required=5 tests=[AWL=0.159, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QZqfHHFxW+hK for <dane@ietfa.amsl.com>; Wed, 16 May 2012 00:53:58 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 03CDD21F865C for <dane@ietf.org>; Wed, 16 May 2012 00:53:57 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id q4G7ruCB009707 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 16 May 2012 09:53:56 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201205160753.q4G7rsjL011572@fs4113.wdf.sap.corp>
To: warren@kumari.net (Warren Kumari)
Date: Wed, 16 May 2012 09:53:54 +0200 (MEST)
In-Reply-To: <A0B2E24D-63C8-4CFB-AA99-4BD65EB76739@kumari.net> from "Warren Kumari" at May 15, 12 03:32:44 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: paul.hoffman@vpnc.org, dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 May 2012 07:53:59 -0000

Warren Kumari wrote:
> > 
> > I don't think people have been talking about suggesting that the
> > application let the user choose between strict and not-strict;
> > I think most people here are against that.
> 
> This may be my fault -- a long time back (in this thread) I proposed
> having implmentations default to not-strict and then, in a few years
> (once there is less DNSSEC breakage by CPE, etc), vendors would turn
> the knob to strict mode. Educated / security concious users would
> also be able to turn the knob if they so  desired.
> 
> This was just an idea, and perhaps a bad one!

That was a perfectly reasonable one, and is the approach that is being
used for the TLS renegotiation_info extension (rfc5746):

  http://tools.ietf.org/html/rfc5746#section-4

And no, the world did not end because of browsers and other TLS-clients
not being strict about TLS renegotiation (i.e. hard-failing on
servers that do not support it).


-Martin

v2.8.7 | Report a Bug | By Email