IETF Logo Mail Archive

Re: [apps-discuss] [dane] AppsDir review of

Andrew Sullivan <ajs@anvilwalrusden.com> Mon, 07 May 2012 15:13 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75CD021F85E7; Mon, 7 May 2012 08:13:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.627
X-Spam-Level:
X-Spam-Status: No, score=-2.627 tagged_above=-999 required=5 tests=[AWL=-0.028, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMzt1lhfmFh6; Mon, 7 May 2012 08:13:05 -0700 (PDT)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id 01B8A21F85D6; Mon, 7 May 2012 08:13:03 -0700 (PDT)
Received: from mail.yitter.info (69-196-144-227.dsl.teksavvy.com [69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 238181ECB41D; Mon, 7 May 2012 15:13:03 +0000 (UTC)
Date: Mon, 07 May 2012 11:13:01 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Message-ID: <20120507151257.GH8963@mail.yitter.info>
References: <20120504220713.GR7394@crankycanuck.ca> <201205042224.q44MOo03029933@fs4113.wdf.sap.corp> <20120504223816.GV7394@crankycanuck.ca> <1EF0ACEE-52ED-4BDE-BF34-C995F117783D@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1EF0ACEE-52ED-4BDE-BF34-C995F117783D@vpnc.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: The IESG <iesg@ietf.org>, "apps-discuss@ietf.org Discuss" <apps-discuss@ietf.org>, IETF DANE WG list <dane@ietf.org>
Subject: Re: [apps-discuss] [dane] AppsDir review of
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 May 2012 15:13:06 -0000

On Sat, May 05, 2012 at 07:21:51AM -0700, Paul Hoffman wrote:
> 
> Note that the document explicitly states in the last paragraph of
> section 1.2 that "This document only relates to securely associating
> certificates for TLS and DTLS with host names".  We are not talking
> just "domain names" (which are made up of labels of octets) but
> "host names" which are made up of labels of ASCII. We were told
> (wisely) not to try to reopen this can of worms, so we didn't.

Aha, good point.  I guess this needs a normative reference to RFC 952,
then?  That's actually the most recent RFC that establishes the host
rules.

> OLD
>   3.  The domain name is appended to the result of step 2 to complete
>       the prepared domain name.
> 
> NEW
> 
>   3.  The domain name is appended to the result of step 2 to complete
>       the prepared domain name.  (The domain name is the fully
>       qualified DNS domain name [RFC1035] of the TLS server and is
>       represented as a byte string where each label is encoded
>       using ASCII; this enables support for internationalized
>       domain names through the use of A-labels as defined in
>       [RFC5890].)

I'm still uncomfortable with this, because it's not technically
accurate.  When you send the QNAME, it's not a "byte string" and the
labels aren't encoded.  They're octets, not strings.

How about 

    3.  The base domain name is appended to the result of step 2 to
        complete the prepared domain name.  The base domain name is the 
        fully-qualified DNS domain name [RFC1035] of the TLS server,
        with the additional restriction that every label must meet the
        rules of [RFC952].  The latter restriction means that, if the
        query is for an internationalized domain name, it must use the
        A-label form as defined in [RFC5890].

?  I added the modifier "base" to this to make it clear that we're not
defining what domain names are, although I don't myself feel too
strongly about that addition.

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com

v2.23.0 | Report a Bug | By Email