Re: [certid] What DNS-ID if also using a DNS-SRV?

Shumon Huque <shuque@isc.upenn.edu> Thu, 01 July 2010 04:55 UTC

Return-Path: <shuque@isc.upenn.edu>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4953F3A67FA for <certid@core3.amsl.com>; Wed, 30 Jun 2010 21:55:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.289
X-Spam-Level:
X-Spam-Status: No, score=-2.289 tagged_above=-999 required=5 tests=[AWL=0.310, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JfbLSs6eHhbK for <certid@core3.amsl.com>; Wed, 30 Jun 2010 21:55:46 -0700 (PDT)
Received: from talkeetna.isc-net.upenn.edu (TALKEETNA.isc-net.upenn.edu [128.91.197.188]) by core3.amsl.com (Postfix) with ESMTP id 7362B3A67CF for <certid@ietf.org>; Wed, 30 Jun 2010 21:55:46 -0700 (PDT)
Received: by talkeetna.isc-net.upenn.edu (Postfix, from userid 4127) id 732973057; Thu, 1 Jul 2010 00:55:57 -0400 (EDT)
Date: Thu, 1 Jul 2010 00:55:57 -0400
From: Shumon Huque <shuque@isc.upenn.edu>
To: Peter Saint-Andre <stpeter@stpeter.im>
Message-ID: <20100701045557.GA3758@isc.upenn.edu>
References: <20100612013249.GA4782@isc.upenn.edu> <4C2A65B5.4080209@stpeter.im> <p06240842c8503b7c94bc@[10.20.30.158]> <20100630043158.GB26880@isc.upenn.edu> <p0624081dc8510ebfea3f@[10.20.30.158]> <07D9A6FC-C154-4125-AC33-45F2CE0C0374@apple.com> <p06240820c8513a692695@[10.20.30.158]> <4C2BA09F.8020908@stpeter.im> <p06240839c8515264c586@[10.20.30.158]> <4C2BBEA1.1090506@stpeter.im>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4C2BBEA1.1090506@stpeter.im>
User-Agent: Mutt/1.4.2.1i
Organization: University of Pennsylvania
Cc: certid@ietf.org
Subject: Re: [certid] What DNS-ID if also using a DNS-SRV?
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jul 2010 04:55:47 -0000

On 6/30/10 2:00 PM, Paul Hoffman wrote:
[...]
> I agree that we have to look at the details of the service. To me, 
> there are two types of names:
> - direct (CN-ID, DNS-ID, and URI-ID)
> - indirect (SRV-ID)

On Wed, Jun 30, 2010 at 04:01:05PM -0600, Peter Saint-Andre wrote:
[...]
>    Therefore:
> 
>    o  A CN-ID identifier is direct (provided by a user) and unrestricted
>       (can be used for any application).
>    o  A DNS-ID identifier is direct (provided by a user) and
>       unrestricted (can be used for any application).
>    o  An SRV-ID identifier is indirect (resolved by a client) and
>       restricted (can be used for only a single application).
>    o  A URI-ID identifier is direct (provided by a user) and restricted
>       (can be used for only a single application).

I'm not sure I buy this classification. I was trying to figure out
what Paul meant by "direct" and "indirect" - it looks like direct
means "provided by client" and indirect means "DNS resolution
was involved". In that sense I don't see any distinct category for
SRV-ID. The information in the SRV-ID *is* provided by the client.
If the client is attempting to connect to the IMAP service at
example.com, it already has all the information to construct the
SRV identity (_imap.example.com) - no DNS resolution was involved.

DNS resolution is involved in all 4 of these identity types in order
to get the network layer address of the server for connection 
establishment purposes. This should be differentiated from the identity
of the server used for TLS/PKIX authentication. CN-ID, DNS-ID, URI-ID
will involve A, AAAA DNS resolutions. And don't forget that they might
also involve aliases (CNAMEs).

The more meaningful classification to me involves the difference 
between generic domain name identities (CN-ID, DNS-ID) and application 
specific identities (SRV-ID, URI-ID).

(Actually URI-ID can be even more granular, by also specifying a
particular resource/path within an application, but I don't think
we want to deal with that in this draft -- to manage the scope of
this draft, maybe we need to constrain the format of URIs that we
are addressing).

--Shumon.