On Tue, 28 Jun 2022 at 05:03, Martin Thomson <mt@xxxxxxxxxxxxxx> wrote:
On Tue, Jun 28, 2022, at 00:36, tirumal reddy wrote:
> Relying on WebPKI is the right thing for general-purpose endpoints but
> for IoT devices using secure bootstrapping (e.g., BRSKI) could be
> provisioned with a explicit trust anchor database allowing the use of
> it to validate the DNS server certificate. We may want to discuss if
> DNR/DDR or some other secure way of discovering the network-designated
> encrypted resolver can be used for such IoT devices.
I didn't say *which* trust anchors, I only noted that there is no requirement to chain to *any* trust anchor. Even if you accept that there might be different trust anchors in clients, you still need to have 'em.
Yes.
I also disagree when you assert that the decision is not one this can make. I don't know how you deploy a protocol when a key component is ¯\_(ツ)_/¯. It would be better to say "use Web PKI unless you have configuration that suggests otherwise". Otherwise you can't deploy anything without guessing.
Agreed, we can add the following text to Section 3.3 of DNR:
The client by default uses PKIX validation [RFC5280] unless configured otherwise.
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
