Re: [TLS] some thoughts on dnssec-chain-extension, pinning, and broader semantics

Nico Williams <> Mon, 05 November 2018 17:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 47BBD1277CC for <>; Mon, 5 Nov 2018 09:12:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Xurv_PQhHLlk for <>; Mon, 5 Nov 2018 09:12:11 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 90BFF127332 for <>; Mon, 5 Nov 2018 09:12:11 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|
Received: from (localhost []) by (Postfix) with ESMTP id 9C3A5124FED; Mon, 5 Nov 2018 17:12:06 +0000 (UTC)
Received: from (unknown []) (Authenticated sender: dreamhost) by (Postfix) with ESMTPA id 5D911124824; Mon, 5 Nov 2018 17:12:05 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by (trex/5.16.2); Mon, 05 Nov 2018 17:12:06 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|
X-MailChannels-Auth-Id: dreamhost
X-Sponge-Harbor: 128a72546cd7e4a5_1541437925876_2258544302
X-MC-Loop-Signature: 1541437925876:632778744
X-MC-Ingress-Time: 1541437925875
Received: from (localhost []) by (Postfix) with ESMTP id 03819804A3; Mon, 5 Nov 2018 09:12:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=91EbESfPCPMgMJ QPa3OciivUTBk=; b=dAV9JxiHAsKgrSZasVry8IWY4+hZ5KTjKKtn4hg4GZ87KW PXz1b3DLlBBu/iyKc54Q78JtV3wFit4t53MCnaDH7PVY0gVuQzUnCTW00oloTTol oLqmeSL9Fum+34s7DEbGI+2n2HXdyZF3wfM3F/YZcT1gUumHoCD/m3nznSuKA=
Received: from localhost (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id C9BDB804A5; Mon, 5 Nov 2018 09:12:02 -0800 (PST)
Date: Mon, 05 Nov 2018 11:11:59 -0600
X-DH-BACKEND: pdx1-sub0-mail-a56
From: Nico Williams <>
To: Benjamin Kaduk <>
Message-ID: <20181105171157.GA9067@localhost>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedtkedrjeehgdellecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpeffhffvuffkfhggtggujggfsehttdertddtredvnecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecukfhppedvgedrvdekrddutdekrddukeefnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
Archived-At: <>
Subject: Re: [TLS] some thoughts on dnssec-chain-extension, pinning, and broader semantics
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 05 Nov 2018 17:12:13 -0000

On Mon, Nov 05, 2018 at 07:01:57AM -0600, Benjamin Kaduk wrote:
> Once we start talking about pinning of any sort, we move from this
> extension just being "transport some DNS records" into conveying some
> sort of additional semantics.

The I-D lost consensus over one issue.  We should resolve that issue.

There are some minor other things (like the fact that TLSA RR names
include a port number and the TLS server needs to know, or that we
shouldn't specify an RR sort order, or that the age of the chain payload
needs to be included), but they are minor by comparison.  Whether we
discuss those first or the main event is not that interesting to me, but
if we're going to make progress I think we should have time for the main