>>>>> "Viktor" == Viktor Dukhovni <ietf-dane@xxxxxxxxxxxx> writes:
Viktor> On Fri, Feb 27, 2015 at 10:46:12AM -0600, Nico Williams wrote:
>> I would much prefer a Standards-Track document that says to
>> authenticate the origin domainname as follows:
>>
>> - use DNSSEC for all DNS queries needed to find the URI RRs and
>> DANE to authenticate the authorities of the resulting URIs
>>
>> or
>>
>> - expect the target authorities to have certificates that
>> authenticate the origin, using SNI if need be.
>>
>> I would still drop everything related to NAPTR and DDDS.
Viktor> That works for me, and is in reasonable alignment with
I would object strongly to this because of the trust anchor reasons I've
discussed.
I think applicability advice discussing when it's appropriate to trust
DNS and how the DNS trust models differ from the TLS trust model are an
important consideration to standards-track work in this space.
It doesn't sound like Nico's document would include sufficient
discussion of that to make me happy.
I think that within the case where trusting DNS makes sense, Nico's
advice isn't the advice I'd give, but I wouldn't go so far as to object
to it.
I don't actually think TLSA adds much to this discussion. If you're
willing to trust DNS and if you're using DNSSec, I don't see why you
can't just trust the target of the redirection.
What are you getting out of forcing DANE?
TLSA doesn't help the case where the app has stronger trust anchors
(within its trust domain) than the DNS trust anchors.