[Cryptography] Apple's iCloud+ "VPN"

Viktor Dukhovni cryptography at dukhovni.org
Sat Jul 10 00:52:23 EDT 2021


On Wed, Jul 07, 2021 at 08:04:28PM -0700, Bill Woodcock wrote:

> That, on the other hand, is a deficiency which had not been obvious to
> me until you pointed it out, and now is.  If you’re saying that you
> believe DNS Extended Errors should include a mechanism for the server
> generating the error to identify itself and sign the error message,
> then I agree, and in retrospect this seems like an oversight which
> should be remedied, and remembered for the future.

I'm not convinced.  Errors reporting is needed under adverse conditions,
and authenticating the error message is typically not the highest
priority in that case.

The error messages are just diagnostic information, they do not change
the semantics of the result.  The most one should reasonably
automatically do based on the error type is in some cases give up
*faster*, because the error makes it clear that retries won't help.

-- 
    Viktor.


More information about the cryptography mailing list