Re: [apps-discuss] draft-sullivan-domain-origin-assert-01.txt
Andrew Sullivan <ajs@anvilwalrusden.com> Mon, 06 August 2012 14:24 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42F2421F84F6 for <apps-discuss@ietfa.amsl.com>; Mon, 6 Aug 2012 07:24:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.225
X-Spam-Level:
X-Spam-Status: No, score=-1.225 tagged_above=-999 required=5 tests=[AWL=-0.385, BAYES_00=-2.599, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pfSQeGZYfALK for <apps-discuss@ietfa.amsl.com>; Mon, 6 Aug 2012 07:24:08 -0700 (PDT)
Received: from mx1.yitter.info (ow5p.x.rootbsd.net [208.79.81.114]) by ietfa.amsl.com (Postfix) with ESMTP id 6774521F84E2 for <apps-discuss@ietf.org>; Mon, 6 Aug 2012 07:24:08 -0700 (PDT)
Received: from mail.yitter.info (69-196-144-227.dsl.teksavvy.com [69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.yitter.info (Postfix) with ESMTPSA id 92A788A031 for <apps-discuss@ietf.org>; Mon, 6 Aug 2012 14:24:07 +0000 (UTC)
Date: Mon, 06 Aug 2012 10:22:55 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: apps-discuss@ietf.org
Message-ID: <20120806142255.GA53917@mail.yitter.info>
References: <5A4FCAA5BA5F59D02EC64B1C@JCK-EEE10>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5A4FCAA5BA5F59D02EC64B1C@JCK-EEE10>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [apps-discuss] draft-sullivan-domain-origin-assert-01.txt
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Aug 2012 14:24:09 -0000
Hi John, Thanks for the comments. A little further discussion inline. On Sun, Aug 05, 2012 at 10:46:28PM -0400, John C Klensin wrote: > we discussed briefly in Vancouver. I think your explanation of > the problem(s) and what you are trying to do is muddy, Probably. But I'm not sure you're right I'm trying to solve too many problems at once. See below. > usage is, bluntly, a mess. In particular, the boundaries that > are more specifically discussed in "zone cut" terms (delegation > records and a requirement for an SOA record in the subsidiary > domain (and zone) are widely known as "administrative > boundaries". Yeah. I picked the current term as a kind of compromise -- some have argued that these should be called "administrative domains", which is surely worse. But I like the "policy authority" suggestion, and will try to do something with that. > More broadly, what you are trying to do here is to overlay an > entirely different data structure --really a mesh-- on top of > the strict hierarchy (with weak aliases) DNS structure. That > mesh is multidimensional with the potential for arrangements by > related domain names, by ports, and by scheme/protocol. Yes. The problem here is that in the first draft on this topic I didn't do this, and the response on the w3c web security list was that without schemes and ports the entire idea was totally useless for their purposes. I am not sure how to reconcile that view with the argument you make, which is that we're trying to make statements about who's in charge of a name. Perhaps, however, this is an example of the "too many problems" you argue. The difficulty I have is that the user base for this is really just applications, web browsers prominently among them. If their developers say, "Without these other bits, this mechanism is no use to me, and I won't implement it," that's a strong incentive for me to want to include those other bits. Maybe this means that one needs more than one RR, but then we're into round trips that web browsers also don't want to make. > If very > much of that is used, one could easily end up with a lot of > these records at a given node, far exceeding the UDP limit and > possibly causing other problems. Worse, if a node makes an > assertion about some set of other nodes and they make > contradictory assertions (whether through malice, configuration > error, or attempts at cleverness the spec doesn't anticipate), Actually, I did think about both of these issues. Section 7.1 points out that you can exceed the UDP limits, although it doesn't talk about the extent to which that is undesirable (frankly, I ran out of time to discuss it at length). The security consideration section notes that you'd be an idiot to accept the results if both sides didn't agree, but doesn't go further. I'd be willing to make this stronger, although there's at least one case of cookie use where I'm not sure about whether it'd be ok not to check both sides. > predicts, that port numbers of interest to a particular > situation will occupy continuous ranges. If they do not, even > an attempt to make an assertion about port numbers could result > in a lot of records. Yes. The draft says, "It does not, however, permit arbitrary combinations of destination point and schemes without using more than one RR." I guess that could be clearer. The reason that the port ranges and wildcard on the scheme are there is exactly so that one can make these records port- and scheme-insensitive. I personally think that's the way it'd get used most often anyway, but I'm willing to make the protocol a little messier if it causes people who work on web browsers to think about it some more. > record that parallels the function and definition of the "DNS > administrative authority origin" indication and information > provided by the SOA record. That model fits nicely with the DNS > hierarchy (rather than trying to superimpose a new mesh on top > of it) -- it just clearly defines the two types of boundaries > separate from each other (which they are, of course). This was the notion I originally had, yes. (I didn't call it the SOPA record, but one is tempted now that you've introduced the "Policy Authority" term.) > While aspects of the "variant" story are clearly in your mind No, or anyway not exactly. I think the variant story is just one facet of exactly the same story over and over again: we need to make explicit who has or does not have policy control over a given zone. That's the issue with cookies, with cross-site problems, and with "variants" too. I don't think they're actually different problems, which is why you think I'm trying to solve more than one problem at the same time. Best, A > (and I fear contributing to assorted fantasies of what the DNS > can do to help with that without getting any real value in > return), your one clear use case is the public suffix list and > related cookie issues -- and those do not require port ranges, > scheme lists, or identification of other domains with the same > ownership -- it only requires clear identification of the > administrative/control/ policy boundary. > > best, > john > > > > > > -- Andrew Sullivan ajs@anvilwalrusden.com
- Re: [apps-discuss] draft-sullivan-domain-origin-a… Andrew Sullivan
- [apps-discuss] draft-sullivan-domain-origin-asser… John C Klensin
- Re: [apps-discuss] draft-sullivan-domain-origin-a… John C Klensin