On Jun 6, 2025, at 14:16, Paul Wouters <[email protected]> wrote: > > >> On Jun 6, 2025, at 15:02, Erik Nygren <[email protected]> wrote: >> >> Following this discussion, I've taken a pass at proposing some updates to >> clarify the "purpose" >> of domain validation (as suggested by Ben in PR #160 although I started with >> a new take on it) >> as well as to clarify the difference between one-off validation and >> persistent validation. >> See: >> >> https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/172/files >> [github.com] >> > > This looks good to me.
This is an OK start, but it would be better if the draft covered the actual security issues (on-path attackers) and dealt with time more carefully. Persistent validation doesn't need the token that is needed by the initial validation. The new material still doesn't explain why introducing a new mechanism (intermediaries) should be part of a Best Current Practice RFC. --Paul Hoffman _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
