IETF Logo Mail Archive

Re: [dane] Reusing TLSA

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 26 September 2012 14:56 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4751421F87B9 for <dane@ietfa.amsl.com>; Wed, 26 Sep 2012 07:56:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.596
X-Spam-Level:
X-Spam-Status: No, score=-102.596 tagged_above=-999 required=5 tests=[AWL=0.003, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zjZdjv6a38FC for <dane@ietfa.amsl.com>; Wed, 26 Sep 2012 07:56:11 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id B342921F8629 for <dane@ietf.org>; Wed, 26 Sep 2012 07:56:11 -0700 (PDT)
Received: from [10.20.30.108] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q8QEu7DF016029 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 26 Sep 2012 07:56:08 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <CABrd9STJu_U3Aw5MYjhbZ9Q4SpoM37yUVW5uqyk3aOZyoMvvTg@mail.gmail.com>
Date: Wed, 26 Sep 2012 07:56:09 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <19800D41-820B-4256-8C41-0B6854A34AD3@vpnc.org>
References: <FE6C9DF2-E86E-4CEF-A537-D68C5952B602@vpnc.org> <50609A03.1050507@ogud.com> <alpine.LSU.2.00.1209250026150.14585@hermes-1.csi.cam.ac.uk> <57867BCC-8E8C-4F5A-9A83-0A31652CD71F@danyork.org> <2D645BD5-3501-4182-AB5B-035240F464AA@vpnc.org> <CABrd9STJu_U3Aw5MYjhbZ9Q4SpoM37yUVW5uqyk3aOZyoMvvTg@mail.gmail.com>
To: Ben Laurie <benl@google.com>
X-Mailer: Apple Mail (2.1498)
Cc: IETF DANE WG list <dane@ietf.org>
Subject: Re: [dane] Reusing TLSA
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2012 14:56:12 -0000

On Sep 26, 2012, at 1:46 AM, Ben Laurie <benl@google.com> wrote:

> On 25 September 2012 23:32, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
>> On Sep 25, 2012, at 12:06 PM, Dan York <dan-ietf@danyork.org> wrote:
>> 
>>> BUT... to Tony's last point, are we in fact making it *harder* for developers by overloading the TLSA RRtype with different types of content?
>> 
>> No, because the types of content are identical.
> 
> They are not, as I just pointed out in the other thread.

Unless I missed it (certainly a possibility), what you pointed out was different semantics for identical content. That is, where the RFC talks about the trust anchor for the server, and chains sent by the server, we need to change that to trust anchors used by, and chains sent by, the sending party. No bits on the wire change, right?

>>> Or is that adequately addressed by having the second left-most label in the domain name (ex. "_smimecert") be the way that a developer would know what is in the TLSA RR and therefore how it should be processed?
>> 
>> That's not content, that's the request you used to get the content.
>> 
>> As Ben pointed out earlier, we need to make a few changes saying "where DANE talks about a chain sent by the server, this document is talking about a chain sent by the other party". But the contents are the same.
> 
> You could argue that all RRs merely contain bytes, so their contents
> are "the same".

No, you can't. The TLSA RR has particular fields with particular structure. That structure is identical in SMIMEA.

> If they mean different things, then they're not
> _really_ the same.

Nor do they need to be _really_ the same, just have the same format.

> It could be that TLSA could be redrafted to fix this problem.

It sounds like that a new RFC can update the TLSA draft. That's exactly what we are proposing. :-)

--Paul Hoffman

v2.23.0 | Report a Bug | By Email