On Tue, Jun 28, 2022, at 00:36, tirumal reddy wrote: > Relying on WebPKI is the right thing for general-purpose endpoints but > for IoT devices using secure bootstrapping (e.g., BRSKI) could be > provisioned with a explicit trust anchor database allowing the use of > it to validate the DNS server certificate. We may want to discuss if > DNR/DDR or some other secure way of discovering the network-designated > encrypted resolver can be used for such IoT devices. I didn't say *which* trust anchors, I only noted that there is no requirement to chain to *any* trust anchor. Even if you accept that there might be different trust anchors in clients, you still need to have 'em. I also disagree when you assert that the decision is not one this can make. I don't know how you deploy a protocol when a key component is ¯\_(ツ)_/¯. It would be better to say "use Web PKI unless you have configuration that suggests otherwise". Otherwise you can't deploy anything without guessing. -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
