Re: [Add] [Ext] Updated charter proposal for ADD
Brian Dickson <brian.peter.dickson@gmail.com> Fri, 17 January 2020 18:25 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A30D71200F1 for <add@ietfa.amsl.com>; Fri, 17 Jan 2020 10:25:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01uVqt7Cfcg8 for <add@ietfa.amsl.com>; Fri, 17 Jan 2020 10:25:37 -0800 (PST)
Received: from mail-vk1-xa35.google.com (mail-vk1-xa35.google.com [IPv6:2607:f8b0:4864:20::a35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8CCA1200F9 for <add@ietf.org>; Fri, 17 Jan 2020 10:25:21 -0800 (PST)
Received: by mail-vk1-xa35.google.com with SMTP id d17so6901344vke.5 for <add@ietf.org>; Fri, 17 Jan 2020 10:25:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0xie+KcE/oGBWWA6W8HAKD2nRY6bNNXpdq+xuXrXdA4=; b=qQOkMla0QgJQB0g9n0zUtq19eYTzmDH0QG4iCPracH3gREPatMJyGteiC/qdaXHuqW q3xG97QfkoYfND4PzOo04X7OA858WshR1RWzLf/3SC5M2WZB+c0D18eMmeZhrVLfRzwz P9rD9YKkLtzpqn9n05XWiyjQwCA/nubv9F2+reYhJLUdc/XasCA6rrdAv9cuuk5KZCTy 1f0p3X1hINTHrxaMhKWOdMmf97Q3+6mM8GAGsRg3l07OPmCUZ40WoBahNgggHKjLmBg+ sJfS7bevY0X/3m8B+OQzZdEoApPsIfnp9S8kB8Y9gKz8AD62vfGKa6hk/lbozKU/HsRo 0fSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0xie+KcE/oGBWWA6W8HAKD2nRY6bNNXpdq+xuXrXdA4=; b=JrTf/4YpaXX/oYYyQ8u7OcEVvibFDlVYysdTuDvNgHvxhJL/6yXu+r1FSEMuFMSIOj MUFvyUlFaUKqdmB1CHz2O74V4FNf3t7Tv1OonxBF7l2F3Z5Nv+qP2IpD9Y7GiG+y9O3K QA3dL7EDnMFalTd+X22SB0lRvchEO35OfKPzLiQzmMIGP6uuvunltampW6hkNI6shtNH n8tFmJGz0FoAQOuv6UOD/vI4TChwvKvZz4SPvvklB148riibxG1/riv57S9wwZOfrDTd YI/PRaYlZD2UZIWMAcA0Spi3MuLZTt5hFw2gVLnR3zRyLu+X/bv7vIaQEfjNCgEARscj uNBQ==
X-Gm-Message-State: APjAAAUGaCWn8MR5ou54Z0NDgBD7dC2ebc2imB8LgOWaEmBQLJH8Z9EK r2Pof4zepSvLsvvfvuY69IVu7IHUPGg3eG2ERJE=
X-Google-Smtp-Source: APXvYqzKe+7gjZEaAsZQHH4DRAImE+bqEe5Rq3TlVH6PXTMAKvONJSm509LNsbEynOghL/SoS/sOI0RZaEek4MQsUL0=
X-Received: by 2002:a1f:73c6:: with SMTP id o189mr22574422vkc.60.1579285520808; Fri, 17 Jan 2020 10:25:20 -0800 (PST)
MIME-Version: 1.0
References: <CAChr6SwZMid9ruggYAu5bqBEcujhczp34mJ=TZPAjSXw50ZBKQ@mail.gmail.com> <C70ECC76-7431-4FC2-B555-0E1D8D82B449@nbcuni.com> <CAChr6SwYtJh84CLE9n+fuqjdFAaSzNP=aFKqa70KY=Mx+F76MQ@mail.gmail.com> <CWXP265MB0566FDF1030771C6916BE37AC2360@CWXP265MB0566.GBRP265.PROD.OUTLOOK.COM> <F82221F8-35B8-497F-8AA9-F2405000650F@fugue.com> <CAOdDvNqyJhu_q8ALpBeg=zcjyUpHW=fpTxSsoCV0_c=oiXg=pA@mail.gmail.com>
In-Reply-To: <CAOdDvNqyJhu_q8ALpBeg=zcjyUpHW=fpTxSsoCV0_c=oiXg=pA@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Fri, 17 Jan 2020 10:25:09 -0800
Message-ID: <CAH1iCipugAaz6=Hr9_C+AzUjGrnBKZteY695DGqHafLVSEQ4CA@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: Ted Lemon <mellon@fugue.com>, Andrew Campling <andrew.campling@419.consulting>, "STARK, BARBARA H" <bs7652@att.com>, "Deen, Glenn (NBCUniversal)" <Glenn.Deen@nbcuni.com>, ADD Mailing list <add@ietf.org>, Rob Sayre <sayrer@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000778031059c5a109b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/t3QYeunbFO50GoOTpw-mkjgW3oQ>
Subject: Re: [Add] [Ext] Updated charter proposal for ADD
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2020 18:25:43 -0000
On Fri, Jan 17, 2020 at 7:16 AM Patrick McManus <mcmanus@ducksong.com> wrote: > Discovery requires authentication - otherwise the encryption is just snake > oil security. everyone wants to apply policy (even if the policy is > 'unfiltered') and you can't deliver that policy without authentication. And > you can't seriously offer confidentiality without authentication either. > The proposed charter is clear on this. A charter that allowed the creation > of a an unauthenticated "secure" protocol in 2020 would fail to recognize > what is possible and really ought to be irrelevant. > The scope of the proposed charter extends beyond exclusively public resolvers and exclusively web browsers, at least as I read it currently. For the purposes of clarity, we should be careful about the scope of statements such as this, for which I propose some alternate wording for what you wrote. E.g.: "Use of discovered resources which have globally-scoped names requires authentication of those names as part of the protocol being used." I.e. authentication is a "must" IFF the name is an FQDN rooted in the public DNS tree (as served via the IANA root zone). (This would leave open the question of authentication in other environments, which is important for use cases that have been discussed. Obviously any work encompassing those use cases would need to clearly document security and privacy implications of the mechanisms used for authentication.) There is a separate issue is on how identity on public FQDN certificates is authenticated, from a protocol perspective, in terms of what is mandatory to implement (MTI), including dependencies. (Again, this is specifically ONLY about the authentication of resolver identities for establishing the TLS connection from client to resolver, and does not relate to subsequent client behavior in any other context, such as HTTPS generally.) This relates to establishing a privacy-protecting channel from the client to resolver, which arguably is much broader in scope than the privacy attributes for a TLS connection to a single end-point on the WWW. The open question is whether WebPKI (using some set of CAs) should be MTI, or whether use of other validation mechanisms such as DANE TLSA records anchored at the IANA DNS Root Trust Anchor should be MTI? As a point of relevance, IETF standards achieve the greatest degree of interoperability when all necessary parameters are published by (or managed by) IANA. This includes the DNS Root Trust Anchor, and all of the protocol parameter tables. Similarly, at least for the non-CCTLDs, ICANN has an oversight and contractual relationship with registries, and the accreditation of registrars. By contrast, neither ICANN nor IANA are directly involved (at least to my knowledge) in the management or certification of CAs. For the specific purposes of authentication for a "secure" protocol in 2020, is it appropriate to "bake in" the role of CAs and the CA/B to the MTI aspects of the protocol? I think it is something that needs to be taken into consideration in the WG charter. Brian
- [Add] Updated charter proposal for ADD Tommy Pauly
- Re: [Add] Updated charter proposal for ADD Neil Cook
- Re: [Add] Updated charter proposal for ADD Paul Adair
- Re: [Add] Updated charter proposal for ADD Diego R. Lopez
- Re: [Add] [Ext] Updated charter proposal for ADD Paul Hoffman
- Re: [Add] Updated charter proposal for ADD Livingood, Jason
- Re: [Add] [Ext] Updated charter proposal for ADD Robert Mortimer
- Re: [Add] Updated charter proposal for ADD Andrew Campling
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Dave Lawrence
- Re: [Add] Updated charter proposal for ADD Jari Arkko
- Re: [Add] [Ext] Updated charter proposal for ADD Paul Hoffman
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Alissa Cooper
- Re: [Add] [Ext] Updated charter proposal for ADD Paul Hoffman
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- Re: [Add] [Ext] Updated charter proposal for ADD Andrew Campling
- Re: [Add] [Ext] Updated charter proposal for ADD Barry Leiba
- Re: [Add] Updated charter proposal for ADD chris.box
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- Re: [Add] [Ext] Updated charter proposal for ADD Brian Dickson
- Re: [Add] [Ext] Updated charter proposal for ADD STARK, BARBARA H
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Brian Dickson
- Re: [Add] [Ext] Updated charter proposal for ADD Stephen Farrell
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Deen, Glenn (NBCUniversal)
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- Re: [Add] [Ext] Updated charter proposal for ADD Martin Thomson
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Brian Dickson
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- Re: [Add] Updated charter proposal for ADD nigel.tedeschi
- Re: [Add] Updated charter proposal for ADD Smith, Kevin, Vodafone Group
- Re: [Add] [Ext] Updated charter proposal for ADD Andrew Campling
- Re: [Add] [Ext] Updated charter proposal for ADD Ted Lemon
- Re: [Add] Updated charter proposal for ADD Vittorio Bertola
- Re: [Add] [Ext] Updated charter proposal for ADD Patrick McManus
- Re: [Add] [Ext] Updated charter proposal for ADD Paul Hoffman
- Re: [Add] [Ext] Updated charter proposal for ADD Patrick McManus
- Re: [Add] [Ext] Updated charter proposal for ADD Brian Dickson
- Re: [Add] [Ext] Updated charter proposal for ADD Rob Sayre
- [Add] Food for thought? Mohit Sethi M
- Re: [Add] Food for thought? Mohit Sethi M
- Re: [Add] Food for thought? Ted Lemon
- Re: [Add] Food for thought? tirumal reddy
- Re: [Add] Food for thought? Ted Lemon