IETF Logo Mail Archive

Re: [dane] namespace management, DANE Client Authentication draft updated

"John R Levine" <johnl@taugh.com> Wed, 13 January 2016 02:32 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DAEA1B2C11 for <dane@ietfa.amsl.com>; Tue, 12 Jan 2016 18:32:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.136
X-Spam-Level:
X-Spam-Status: No, score=-1.136 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, KHOP_DYNAMIC=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XSu9yKalJGI4 for <dane@ietfa.amsl.com>; Tue, 12 Jan 2016 18:32:21 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02F9D1B2C0F for <dane@ietf.org>; Tue, 12 Jan 2016 18:32:20 -0800 (PST)
Received: (qmail 45502 invoked from network); 13 Jan 2016 02:32:19 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=b1bd.5695b733.k1601; bh=wn/bgj5uu2p5n8wONh7Lxn5aPvhhk0NF5HxKzTuj/Yw=; b=ms9uyx9TCUv9IFqcCjCgdgVHKcJE86XbJaOSimMID9sw07gt1gxbyng1jnWRUdWNQrqyrHLkQjuXC7hKXlc3/2DmiKozfp+mIxRztKtyIC9NVyjpyw+FnVhN89zoZU8K8PoWeIniSCwdZESulW2g7MELDwCnLriXS5fNerGVBpEe4LWoNvNLoIc3Gh9fH5u4+mVrCzMqQRGYUKbzQpJUoJ22P8x14b9jjxAjftZfuo9Un/0EcXrorgfhgIeteEhZ
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=b1bd.5695b733.k1601; bh=wn/bgj5uu2p5n8wONh7Lxn5aPvhhk0NF5HxKzTuj/Yw=; b=Nq1lHnUNL75YhcWJjaD8WDMMhw/ulbuPEmGO05cLS0cB4qXXKnkl0oU5Gn0GDKFUfck8abJgfhGupuZzGLQE1dJMyFpm22vbLmXEdpELaAH8hvDstzXUW8MRmjpSUjX4RM3jyHVaSYSfySMy79HwDcNdwZ0G6bfVapEmVcbbHdGn7s5Ys9YmJ/iz37DiMvD0xusZOcOjJdNu0xLz3VhKrXkPwNwBS9w+Zd+93z0NJUGFwOP++t8Rs4TxKbfP4VdN
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 13 Jan 2016 02:32:19 -0000
Date: Tue, 12 Jan 2016 21:32:19 -0500
Message-ID: <alpine.OSX.2.11.1601122110070.3339@ary.lan>
From: John R Levine <johnl@taugh.com>
To: Shumon Huque <shuque@gmail.com>
In-Reply-To: <CAHPuVdWC-Si0O2zpr2r7Ucdk9MpU6aPFBcOPn-z_Jpydz_TD7g@mail.gmail.com>
References: <CAHPuVdXYWoD5bZubAu5pEe18sfr69Nat=gp_7iagcVrAgTkY=g@mail.gmail.com> <20160113013152.54184.qmail@ary.lan> <CAHPuVdWC-Si0O2zpr2r7Ucdk9MpU6aPFBcOPn-z_Jpydz_TD7g@mail.gmail.com>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/34quH3hqtlvKofJC8eeE13H03xI>
Cc: "<dane@ietf.org>" <dane@ietf.org>
Subject: Re: [dane] namespace management, DANE Client Authentication draft updated
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 02:32:22 -0000

>> In the DNS, service names only appear as subnames of transport names.
>> So one possibility would be to register smtp-client as a service name,
>> so the DNS label would be _smtp-client._tcp.whatever.example.
>
> I would say "only appear *today* under transport names", but this isn't a
> hard and fast requirement. ...
> We should feel free to construct TLSA owner names in a form that makes 
> sense for the specific application.

They've appeared under transport names for the past 15 years, which means 
that people have expectations about how they're used which I would not 
casually ignore.

There are a lot of other prefixed names floating around the DNS.  If 
someone attempted to use a client name like _spf or _sip or _domainkey or 
_dmarc or _adsp or _vouch they and their users would experience an 
eternity of pain from name collisions.

> For the purposes of this draft, including a transport label might make 
> sense if we expected clients to have distinct transport protocol 
> specific authentication credentials for the same application. This seems 
> unlikely to me.

It has very little to do with distinct transport protocols, and everything 
to do with avoiding name collisions.  Nobody runs POP or IMAP over UDP, 
but the SRV names are still _pop3._tcp and _imap._tcp.

If your names are subnames of _tcp or another transport, you know that the 
only names you can collide with are ones in the IANA services list, and 
you can easily register yours to tell people about them.  If they aren't, 
they could collide with anything.  Dave Crocker has been working on a 
registry for general prefixed names, but it's not likely to exist any time 
soon.

> See Viktor's previous note about why we excluded a _client label.

I saw it, and I have to say it strikes me as penny wise and pound foolish. 
You're getting a tiny simplification in code that for the most part hasn't 
even been written yet, at the cost of having to deal with potential 
collisions with every future use of prefixed names.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

v2.23.0 | Report a Bug | By Email