[dane] New version of tls-dnssec-chain draft (-02)
Shumon Huque <shuque@gmail.com> Sat, 31 October 2015 23:34 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F7B71B43E0 for <dane@ietfa.amsl.com>; Sat, 31 Oct 2015 16:34:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u37z4dHUZHNZ for <dane@ietfa.amsl.com>; Sat, 31 Oct 2015 16:34:41 -0700 (PDT)
Received: from mail-qg0-x233.google.com (mail-qg0-x233.google.com [IPv6:2607:f8b0:400d:c04::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48C931B43DD for <dane@ietf.org>; Sat, 31 Oct 2015 16:34:41 -0700 (PDT)
Received: by qgbb65 with SMTP id b65so89779890qgb.2 for <dane@ietf.org>; Sat, 31 Oct 2015 16:34:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=sp5tx1r9JVO7XcGEWc38D38c1CKeiUz22OS9KntJVs8=; b=zLCPN58WdFWZBSWNhee2n/xJB3g379rrEWVorIbNDou24zaSjw8nFQVGR3b9qonvWO 3qwXGYl59dQTxSx4KQEZdEGfuVn0QckLxYx6tbVvpdTvVqgRkTILRFFPz6tSGjqWoIQ7 5rlP6IeJ+LVL2yMiibhDJm6nMlkpwyj/dr6uZblUCkIFzp7emCQzKVYXhRHEUeMX3Dep uUuGgwZuBTzNEZaOcLolnCgjf2q/ldP6epBS5gxZTpmfh6d4z1g84F3nmZdSzZb9Dd8c XMs9CSb0QrgHFIqsjMAqTKp3HSsTiyuxVVLBhEzuaIIwT9cKoKWRiO0JtxRmWBDwDXgk e6mA==
MIME-Version: 1.0
X-Received: by 10.140.148.74 with SMTP id 71mr21239074qhu.26.1446334480471; Sat, 31 Oct 2015 16:34:40 -0700 (PDT)
Received: by 10.140.91.36 with HTTP; Sat, 31 Oct 2015 16:34:40 -0700 (PDT)
Date: Sun, 01 Nov 2015 08:34:40 +0900
Message-ID: <CAHPuVdXgCHb4UfXi3smFOsQxN8nRSzd2c17xr_TOF=snSBHVJg@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
To: "<dane@ietf.org>" <dane@ietf.org>
Content-Type: multipart/alternative; boundary="001a11355ea0ef61ca05236efcab"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/FSmayEl-DcoRLcFg3f1vqiRqFjk>
Subject: [dane] New version of tls-dnssec-chain draft (-02)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Oct 2015 23:34:43 -0000
DANE folks, We've recently updated the "TLS extension for DANE and DNSSEC authentication chain" draft: https://tools.ietf.org/html/draft-shore-tls-dnssec-chain-extension-02 This work is proposed to happen in TLS, but we hope to get plenty of feedback from DNS/DANE folks. Here's a quick summary of the major changes in -02: * Updated reference newly published DANE RFCs * An update to the chain data format. It now uses native DNS wire format resource records with no TLS presentation language wrapping. This makes it easier for implementations to work with existing DNS libraries to produce and consume the data. But we still describe the data format in sufficient detail that implementers not using DNS libraries can work with it. * Description of how CNAME and DNAMEs are accommodated * Reference to use of the X.509v3 TLS Feature Extension to mandate use of the extension by a server certificate. * Reference to the EDNS chain query option draft as a future easy way to obtain/produce the chain data. * Removed discussion of possible client caching of chain data components (could be difficult to get right and/or a premature optimization). -- Shumon Huque
- [dane] New version of tls-dnssec-chain draft (-02) Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … Viktor Dukhovni
- Re: [dane] New version of tls-dnssec-chain draft … Viktor Dukhovni
- Re: [dane] New version of tls-dnssec-chain draft … Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … Viktor Dukhovni
- Re: [dane] New version of tls-dnssec-chain draft … Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … ietf-dane
- Re: [dane] New version of tls-dnssec-chain draft … Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … Viktor Dukhovni