Re: [dane] namespace management, DANE Client Authentication draft updated

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 13 January 2016 22:37 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5356A1A8797 for <dane@ietfa.amsl.com>; Wed, 13 Jan 2016 14:37:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wl9in_xZ-3jW for <dane@ietfa.amsl.com>; Wed, 13 Jan 2016 14:37:01 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6A311A877C for <dane@ietf.org>; Wed, 13 Jan 2016 14:37:00 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 178FA284E5C; Wed, 13 Jan 2016 22:37:00 +0000 (UTC)
Date: Wed, 13 Jan 2016 22:37:00 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20160113223659.GB28324@mournblade.imrryr.org>
References: <20160113181428.GN18704@mournblade.imrryr.org> <20160113200617.65983.qmail@ary.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160113200617.65983.qmail@ary.lan>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/AreW2nqJi53I5rtxB9cFrw-fJ5g>
Subject: Re: [dane] namespace management, DANE Client Authentication draft updated
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 22:37:02 -0000

On Wed, Jan 13, 2016 at 08:06:17PM -0000, John Levine wrote:

> >    _service._client.node.example. IN TLSA ...
> 
> Ah, we're getting closer.

Well, I can live with the above, *if* there's a good reason to
expect conflicts that block use of CNAMEs.

> >I still don't see any use for _tcp/_udp in there.
> 
> RFC 6698 has _tcp _udp and _sctp protocols as part of the names for
> TLSA.

For a good reason, because the full prefix is "_<portnumber>._<proto>".
Without "_proto", we get TLSA records applied to the wrong service
endpoint, because UDP ports with the same number don't reach have
the same service as the TCP ports.

> It seems rather odd to have the protocol name for the server
> certificate but not for the client.

Because the client prefix-label a service *name*, so so the port
collision issue goes away.  We should not cargo-cult designs,
the rationale has to carry over logically, and false analogies
need to be avoided.

-- 
	Viktor.