[prev in list] [next in list] [prev in thread] [next in thread]
List: ietf-tls
Subject: [TLS] DPRIV has the downgrade too (Re: Consensus Call on draft-ietf-tls-dnssec-chain-extension)
From: Nico Williams <nico () cryptonector ! com>
Date: 2018-04-06 19:21:02
Message-ID: 20180406192101.GQ25259 () localhost
[Download RAW message or body]
On Thu, Apr 05, 2018 at 02:46:12AM -0400, Viktor Dukhovni wrote:
> So I rather suspect that even the DPRIV use-case, which supposedly does not need
> the proposed changes, actually does need them for meaningful security from using
> DANE, and we've not just not looked at the details closely enough yet. It may
> well turn out not substantially different from the browser use-case that is not
> adequately met by the current draft.
>
> Can someone explain briefly how DPRIV avoids the same downgrade issues, and
> negative adoption incentives (cost-benfit comparison)? If it turns out that
> no adequate explanation is possible, and indeed the same issues are present,
> then the proposed changes (which are still needed elsewhere) are all the
> more pressing.
Oh, right, DPRIV isn't a work-in-progress. It's already here. Thus it
cannot be an application that makes draft-ietf-tls-dnssec-chain-extension
mandatory. Therefore it's subject to the downgrade attack we want to
address with (C).
I think now the WG should really want this LC to succeed and get this
change made.
Nico
--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic