On 3/4/21 2:46 PM, Viktor Dukhovni wrote:
On Mar 4, 2021, at 4:44 PM, Keith Moore <moore@xxxxxxxxxxxxxxxxxxxx> wrote: There are lots of applications (including but not limited to ordinary web browsers and servers) running on disconnected and intermittently-connected networks out there that need encryption, and which can't practically use TLS, because they don't use DNS or even host files. But it's not a limitation of the TLS protocol so much as of the APIs and the code that does certificate verification.TLS without DNS name checks and/or without any hierarchical PKI is directly supported by OpenSSL.
Yes I know. But people need web browsers that can do this. And there's still a need to thwart active attacks in such environments.
IOW it's not only TLS and X.509 that are needed, but a stack (including browser) that can use these without needing DNS or external connectivity.
Keith
