Re: [apps-discuss] [dane] AppsDir review of
Andrew Sullivan <ajs@anvilwalrusden.com> Mon, 07 May 2012 15:13 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75CD021F85E7; Mon, 7 May 2012 08:13:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.627
X-Spam-Level:
X-Spam-Status: No, score=-2.627 tagged_above=-999 required=5 tests=[AWL=-0.028, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMzt1lhfmFh6; Mon, 7 May 2012 08:13:05 -0700 (PDT)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id 01B8A21F85D6; Mon, 7 May 2012 08:13:03 -0700 (PDT)
Received: from mail.yitter.info (69-196-144-227.dsl.teksavvy.com [69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 238181ECB41D; Mon, 7 May 2012 15:13:03 +0000 (UTC)
Date: Mon, 07 May 2012 11:13:01 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Message-ID: <20120507151257.GH8963@mail.yitter.info>
References: <20120504220713.GR7394@crankycanuck.ca> <201205042224.q44MOo03029933@fs4113.wdf.sap.corp> <20120504223816.GV7394@crankycanuck.ca> <1EF0ACEE-52ED-4BDE-BF34-C995F117783D@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1EF0ACEE-52ED-4BDE-BF34-C995F117783D@vpnc.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: The IESG <iesg@ietf.org>, "apps-discuss@ietf.org Discuss" <apps-discuss@ietf.org>, IETF DANE WG list <dane@ietf.org>
Subject: Re: [apps-discuss] [dane] AppsDir review of
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 May 2012 15:13:06 -0000
On Sat, May 05, 2012 at 07:21:51AM -0700, Paul Hoffman wrote: > > Note that the document explicitly states in the last paragraph of > section 1.2 that "This document only relates to securely associating > certificates for TLS and DTLS with host names". We are not talking > just "domain names" (which are made up of labels of octets) but > "host names" which are made up of labels of ASCII. We were told > (wisely) not to try to reopen this can of worms, so we didn't. Aha, good point. I guess this needs a normative reference to RFC 952, then? That's actually the most recent RFC that establishes the host rules. > OLD > 3. The domain name is appended to the result of step 2 to complete > the prepared domain name. > > NEW > > 3. The domain name is appended to the result of step 2 to complete > the prepared domain name. (The domain name is the fully > qualified DNS domain name [RFC1035] of the TLS server and is > represented as a byte string where each label is encoded > using ASCII; this enables support for internationalized > domain names through the use of A-labels as defined in > [RFC5890].) I'm still uncomfortable with this, because it's not technically accurate. When you send the QNAME, it's not a "byte string" and the labels aren't encoded. They're octets, not strings. How about 3. The base domain name is appended to the result of step 2 to complete the prepared domain name. The base domain name is the fully-qualified DNS domain name [RFC1035] of the TLS server, with the additional restriction that every label must meet the rules of [RFC952]. The latter restriction means that, if the query is for an internationalized domain name, it must use the A-label form as defined in [RFC5890]. ? I added the modifier "base" to this to make it clear that we're not defining what domain names are, although I don't myself feel too strongly about that addition. A -- Andrew Sullivan ajs@anvilwalrusden.com
- Re: [apps-discuss] [dane] AppsDir review of Martin Rex
- Re: [apps-discuss] [dane] AppsDir review of Paul Hoffman
- Re: [apps-discuss] [dane] AppsDir review of Martin Rex
- Re: [apps-discuss] [dane] AppsDir review of Andrew Sullivan
- Re: [apps-discuss] [dane] AppsDir review of SM
- Re: [apps-discuss] [dane] AppsDir review of Martin Rex
- Re: [apps-discuss] [dane] AppsDir review of Peter Saint-Andre
- Re: [apps-discuss] [dane] AppsDir review of Andrew Sullivan
- Re: [apps-discuss] [dane] AppsDir review of Andrew Sullivan
- Re: [apps-discuss] [dane] AppsDir review of Tony Finch
- Re: [apps-discuss] [dane] AppsDir review of Peter Saint-Andre
- Re: [apps-discuss] [dane] AppsDir review of Ondřej Surý