Re: [dane] [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension [AT LEAST (A)]

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 12 April 2018 19:05 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F82512D9FE; Thu, 12 Apr 2018 12:05:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oBwMDAWR-2il; Thu, 12 Apr 2018 12:05:10 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D941212D864; Thu, 12 Apr 2018 12:05:10 -0700 (PDT)
Received: from [192.168.1.161] (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id C40A47A3309; Thu, 12 Apr 2018 19:05:09 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <201804121844.w3CIiqah030722@new.toad.com>
Date: Thu, 12 Apr 2018 15:05:09 -0400
Cc: dane@ietf.org
Reply-To: TLS WG <tls@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <051D83E8-B6C0-4755-B267-291E7D97D516@dukhovni.org>
References: <CAOgPGoAhzEtxpW5mzmkf2kv3AcugNy0dAzhvpaqrTSuMSqWqfw@mail.gmail.com> <87FDEE87-EE58-4886-824C-0DE1906B7784@dukhovni.org> <201804121844.w3CIiqah030722@new.toad.com>
To: TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/-M56XCaHkyu9VIsrpX4PKvPxy44>
Subject: Re: [dane] [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension [AT LEAST (A)]
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2018 19:05:12 -0000


> On Apr 12, 2018, at 2:44 PM, John Gilmore <gnu@toad.com> wrote:
> 
> Viktor, I believe you have confused a "could" with a "mandate".

As to this point, I'm not now and have never been confused about
that.  The present draft, as explained upthread, perhaps in too
many ways and in too many words, offers no value to applications
that don't mandate the use of the extension, if the application
also excepts WebPKI, and the extension is optional, then a
cost/benefit analysis shows that use of the DANE extension offers
only complexity and no security benefit.  Opportunistic use-cases
of the present draft won't get deployed, they make no sense.

-- 
	Viktor.