IETF Logo Mail Archive

Re: [apps-discuss] [dane]

Martin Rex <mrex@sap.com> Wed, 02 May 2012 18:53 UTC

Return-Path: <mrex@sap.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C84B011E80B2; Wed, 2 May 2012 11:53:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.231
X-Spam-Level:
X-Spam-Status: No, score=-9.231 tagged_above=-999 required=5 tests=[AWL=-0.782, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_34=0.6, J_CHICKENPOX_46=0.6, J_CHICKENPOX_84=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j6-udFn5t6DH; Wed, 2 May 2012 11:53:20 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id CF94D11E80B1; Wed, 2 May 2012 11:53:19 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id q42IrIZV028717 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 2 May 2012 20:53:18 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201205021853.q42IrHJJ005341@fs4113.wdf.sap.corp>
To: ned.freed@mrochek.com
Date: Wed, 02 May 2012 20:53:17 +0200
In-Reply-To: <01OF07L047040006TF@mauve.mrochek.com> from "Ned Freed" at May 2, 12 11:10:49 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: mrex@sap.com, ned.freed@mrochek.com, apps-discuss@ietf.org, dane@ietf.org, paul.hoffman@vpnc.org, iesg@ietf.org, paul@nohats.ca
Subject: Re: [apps-discuss] [dane]
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2012 18:53:20 -0000

Ned Freed wrote:
> 
> > Updates: should only be used if the change is supposed to apply not only
> > to implementations of the *new* document, but that all new implementors of
> > the *old* (=updated) document should ignore certain parts of the old
> > document and use the new document instead.
> 
> Which is exactly the sense in which it is being used here. Although
> I think it unlikely given how limited DANE is, it is nevertheless
> possible that some subsequent use of TLSA will require tweaking of
> something in the DANE specification. We're not omnipotent and we
> don't always get every detail right.

Just the opposite.

Quite similar to rfc6125, DANE-protocol assumes that you already have a
trustworthy hostname for which to retrieve the certificate association.
This way, DANE-protocol can be put into a black block module for the
caller and does not need to be updated or changed depending on the
usage scenario.  It would even be possible to tunnel the TLSA+DNSSEC
records for performing DANE-protocol through a TLS extension instead
of looking it up in a combined TLS+DANE module in a fashion that is
completely opaque to the application caller.

What some of the app specs (other than HTTPS) may have to specify _and_
implement, in order to be able to use DANE, is how to securely obtain
a hostname&port which can be used as input to an implementation of
DANE-protocol or input to rfc6125 matching for PKIX-based matching
to DV-validated server certificates.

But such an apps-specific spec is _not_ an update to DANE itself,
in spite of refering to DANE.  It is irrelevant to the DANE software module.

New TLS cipher suites usually do not update or change TLS, new crypto
algorithms usually do not update or change PKIX, new mime-types ususally
do not update HTTP or the internet message format.


> 
> >   - retaining full interop with old implementations based on only
> >     the full spec, and clear distinction of features that were
> >     added or dropped in the updated parts.
> 
> This, OTOH, is unduly constraining.

Not at all.  Maybe you're misreading this.  It says that anything that
claims to update an earlier document must explain where and how it does
that, an in particular outline omissions and mark additions as such,
so that it will be clear to the reader of the document.

Example:  http://tools.ietf.org/html/rfc5321#section-1.2


-Martin

v2.23.0 | Report a Bug | By Email