IETF Logo Mail Archive

Re: [Add] [Ext] Updated charter proposal for ADD

Brian Dickson <brian.peter.dickson@gmail.com> Fri, 17 January 2020 18:25 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A30D71200F1 for <add@ietfa.amsl.com>; Fri, 17 Jan 2020 10:25:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01uVqt7Cfcg8 for <add@ietfa.amsl.com>; Fri, 17 Jan 2020 10:25:37 -0800 (PST)
Received: from mail-vk1-xa35.google.com (mail-vk1-xa35.google.com [IPv6:2607:f8b0:4864:20::a35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8CCA1200F9 for <add@ietf.org>; Fri, 17 Jan 2020 10:25:21 -0800 (PST)
Received: by mail-vk1-xa35.google.com with SMTP id d17so6901344vke.5 for <add@ietf.org>; Fri, 17 Jan 2020 10:25:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0xie+KcE/oGBWWA6W8HAKD2nRY6bNNXpdq+xuXrXdA4=; b=qQOkMla0QgJQB0g9n0zUtq19eYTzmDH0QG4iCPracH3gREPatMJyGteiC/qdaXHuqW q3xG97QfkoYfND4PzOo04X7OA858WshR1RWzLf/3SC5M2WZB+c0D18eMmeZhrVLfRzwz P9rD9YKkLtzpqn9n05XWiyjQwCA/nubv9F2+reYhJLUdc/XasCA6rrdAv9cuuk5KZCTy 1f0p3X1hINTHrxaMhKWOdMmf97Q3+6mM8GAGsRg3l07OPmCUZ40WoBahNgggHKjLmBg+ sJfS7bevY0X/3m8B+OQzZdEoApPsIfnp9S8kB8Y9gKz8AD62vfGKa6hk/lbozKU/HsRo 0fSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0xie+KcE/oGBWWA6W8HAKD2nRY6bNNXpdq+xuXrXdA4=; b=JrTf/4YpaXX/oYYyQ8u7OcEVvibFDlVYysdTuDvNgHvxhJL/6yXu+r1FSEMuFMSIOj MUFvyUlFaUKqdmB1CHz2O74V4FNf3t7Tv1OonxBF7l2F3Z5Nv+qP2IpD9Y7GiG+y9O3K QA3dL7EDnMFalTd+X22SB0lRvchEO35OfKPzLiQzmMIGP6uuvunltampW6hkNI6shtNH n8tFmJGz0FoAQOuv6UOD/vI4TChwvKvZz4SPvvklB148riibxG1/riv57S9wwZOfrDTd YI/PRaYlZD2UZIWMAcA0Spi3MuLZTt5hFw2gVLnR3zRyLu+X/bv7vIaQEfjNCgEARscj uNBQ==
X-Gm-Message-State: APjAAAUGaCWn8MR5ou54Z0NDgBD7dC2ebc2imB8LgOWaEmBQLJH8Z9EK r2Pof4zepSvLsvvfvuY69IVu7IHUPGg3eG2ERJE=
X-Google-Smtp-Source: APXvYqzKe+7gjZEaAsZQHH4DRAImE+bqEe5Rq3TlVH6PXTMAKvONJSm509LNsbEynOghL/SoS/sOI0RZaEek4MQsUL0=
X-Received: by 2002:a1f:73c6:: with SMTP id o189mr22574422vkc.60.1579285520808; Fri, 17 Jan 2020 10:25:20 -0800 (PST)
MIME-Version: 1.0
References: <CAChr6SwZMid9ruggYAu5bqBEcujhczp34mJ=TZPAjSXw50ZBKQ@mail.gmail.com> <C70ECC76-7431-4FC2-B555-0E1D8D82B449@nbcuni.com> <CAChr6SwYtJh84CLE9n+fuqjdFAaSzNP=aFKqa70KY=Mx+F76MQ@mail.gmail.com> <CWXP265MB0566FDF1030771C6916BE37AC2360@CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM> <F82221F8-35B8-497F-8AA9-F2405000650F@fugue.com> <CAOdDvNqyJhu_q8ALpBeg=zcjyUpHW=fpTxSsoCV0_c=oiXg=pA@mail.gmail.com>
In-Reply-To: <CAOdDvNqyJhu_q8ALpBeg=zcjyUpHW=fpTxSsoCV0_c=oiXg=pA@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Fri, 17 Jan 2020 10:25:09 -0800
Message-ID: <CAH1iCipugAaz6=Hr9_C+AzUjGrnBKZteY695DGqHafLVSEQ4CA@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: Ted Lemon <mellon@fugue.com>, Andrew Campling <andrew.campling@419.consulting>, "STARK, BARBARA H" <bs7652@att.com>, "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>, ADD Mailing list <add@ietf.org>, Rob Sayre <sayrer@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000778031059c5a109b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/t3QYeunbFO50GoOTpw-mkjgW3oQ>
Subject: Re: [Add] [Ext] Updated charter proposal for ADD
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2020 18:25:43 -0000

On Fri, Jan 17, 2020 at 7:16 AM Patrick McManus <mcmanus@ducksong.com>
wrote:

> Discovery requires authentication - otherwise the encryption is just snake
> oil security. everyone wants to apply policy (even if the policy is
> 'unfiltered') and you can't deliver that policy without authentication. And
> you can't seriously offer confidentiality without authentication either.
> The proposed charter is clear on this. A charter that allowed the creation
> of a an unauthenticated "secure" protocol in 2020 would fail to recognize
> what is possible and really ought to be irrelevant.
>

The scope of the proposed charter extends beyond exclusively public
resolvers and exclusively web browsers, at least as I read it currently.

For the purposes of clarity, we should be careful about the scope of
statements such as this, for which I propose some alternate wording for
what you wrote.

E.g.:
"Use of discovered resources which have globally-scoped names requires
authentication of those names as part of the protocol being used."

I.e. authentication is a "must" IFF the name is an FQDN rooted in the
public DNS tree (as served via the IANA root zone).

(This would leave open the question of authentication in other
environments, which is important for use cases that have been discussed.
Obviously any work encompassing those use cases would need to clearly
document security and privacy implications of the mechanisms used for
authentication.)

There is a  separate issue is on how identity on public FQDN certificates
is authenticated, from a protocol perspective, in terms of what is
mandatory to implement (MTI), including dependencies.

(Again, this is specifically ONLY about the authentication of resolver
identities for establishing the TLS connection from client to resolver, and
does not relate to subsequent client behavior in any other context, such as
HTTPS generally.)

This relates to establishing a privacy-protecting channel from the client
to resolver, which arguably is much broader in scope than the privacy
attributes for a TLS connection to a single end-point on the WWW.

The open question is whether WebPKI (using some set of CAs) should be MTI,
or whether use of other validation mechanisms such as DANE TLSA records
anchored at the IANA DNS Root Trust Anchor should be MTI?

As a point of relevance, IETF standards achieve the greatest degree of
interoperability when all necessary parameters are published by (or managed
by) IANA. This includes the DNS Root Trust Anchor, and all of the protocol
parameter tables.

Similarly, at least for the non-CCTLDs, ICANN has an oversight and
contractual relationship with registries, and the accreditation of
registrars.

By contrast, neither ICANN nor IANA are directly involved (at least to my
knowledge) in the management or certification of CAs. For the specific
purposes of authentication for a "secure" protocol in 2020, is it
appropriate to "bake in" the role of CAs and the CA/B to the MTI aspects of
the protocol?

I think it is something that needs to be taken into consideration in the WG
charter.

Brian

v2.23.0 | Report a Bug | By Email