IETF Logo Mail Archive

Re: [dane] Draft ietf-dane-srv-07

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 25 August 2014 23:32 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20A781A048A for <dane@ietfa.amsl.com>; Mon, 25 Aug 2014 16:32:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_05=-0.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eOLu2lRIs8_g for <dane@ietfa.amsl.com>; Mon, 25 Aug 2014 16:32:25 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 599881A03F6 for <dane@ietf.org>; Mon, 25 Aug 2014 16:32:25 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 1FC8D2AB173; Mon, 25 Aug 2014 23:32:24 +0000 (UTC)
Date: Mon, 25 Aug 2014 23:32:24 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140825233223.GV14392@mournblade.imrryr.org>
References: <E97563AC-9012-45BB-BBE0-44D35C8419F9@edvina.net> <20140724125827.GX2595@mournblade.imrryr.org> <53F37F9C.3050504@stpeter.im> <m3vbpoqs2g.fsf@carbon.jhcloos.org> <53F39F1A.2080108@stpeter.im> <20140819194607.GJ14392@mournblade.imrryr.org> <53FBC668.3000204@stpeter.im>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <53FBC668.3000204@stpeter.im>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/5SNyt8XYdCYEfUsptKTNAt-pvjI
Subject: Re: [dane] Draft ietf-dane-srv-07
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Aug 2014 23:32:27 -0000

On Mon, Aug 25, 2014 at 05:27:36PM -0600, Peter Saint-Andre wrote:

> How about this?
> 
>    (because the TLSA records can
>    be ignored if the address records are not secure, performing the TLSA
>    queries in parallel is not harmful from a security perspective).

The reason to skip (or at least ignore lookup errors with) TLSA
lookups when A/AAAA are "insecure" are operational, not security.
So perhaps:

   s/security perspective/operational perspective/

Otherwise, if it says what you want it to say, fine.  I am not sure
we the draft needs to teach implementors how to optimize the
implementation, but if you feel it is important (to encourage
adoption) go for it.

You could probably therefore phrase it a bit better than the
suggested substitution.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email