[dane] WGLC: DANE-SRV feedback on 3.4 through rest of document.
Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 14 December 2014 23:44 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9D581A0161 for <dane@ietfa.amsl.com>; Sun, 14 Dec 2014 15:44:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qgxq4mehom1s for <dane@ietfa.amsl.com>; Sun, 14 Dec 2014 15:44:50 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 149971A0217 for <dane@ietf.org>; Sun, 14 Dec 2014 15:44:49 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 72C7B284AD5; Sun, 14 Dec 2014 23:44:48 +0000 (UTC)
Date: Sun, 14 Dec 2014 23:44:48 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
Sender: dane <dane-bounces@ietf.org>
To: dane@ietf.org
Message-ID: <20141214234448.GK25666@mournblade.imrryr.org>
References: <20141201013357.GF285@mournblade.imrryr.org> <547BC8F9.1070605@andyet.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <547BC8F9.1070605@andyet.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/JBU3l9-pBLSQ-VCPvrmK9ALI2eI
Subject: [dane] WGLC: DANE-SRV feedback on 3.4 through rest of document.
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Dec 2014 23:44:51 -0000
[ I'm splitting it into a few messages to keep it manageable, and in any case some of my comments are still pencil marks on a print-out, not yet transcribed. ] This message covers 3.4 through the end of the document. General comment (copied verbatim from abstract and introduction feedback): The draft frequently talks about "hostnames", where what is really meant is a transport endpoint (port, transport protocol, host). With PKIX-EE or DANE-EE certificate usages, TLSA records are more precise than the Web PKI and can associate different, non-interchangeable key material with distinct services on a single host. So in many places I will be suggesting replacing statements about "hostnames" with statements about "transport endpoints". 3.4. Impact on TLS Usage First bullet: s/under 4/in 4/ Third bullet: s/If the TLSA response is "bogus" or "indeterminate"/If the TLSA lookup fails/ perhaps noting that a "secure" or "insecure" NXDOMAIN is not a failure (as in DNS error section of SMTP draft). 4.1. SRV records only Second paragraph: Also mention here that 6125 and reference identifiers don't apply with DANE-EE(3) (some folks may not read as far as 4.2) 4.2 TLSA Records: The SMTP and OPS drafts have "toned down" the degree to which the content of DANE-EE(3) certs is ignored, specifically only the hostname and expiration are superseded by DNSSEC. Other features of the certificate (key usage, ...) may still be taken into account. Material after section 4 is largely fine. * Please update smtp-with-dane reference from -05 to -13. * Should he XMPP example SRV record really be "_xmpp-client", or instead "_xmpp-server"? Not familiar with XMPP, so please pardon my confusion if that's what it is. -- Viktor.
- Re: [dane] WGLC: DANE-SRV Viktor Dukhovni
- Re: [dane] WGLC: DANE-SRV Peter Saint-Andre - &yet
- [dane] WGLC: DANE-SRV (Abstract and introduction … Viktor Dukhovni
- Re: [dane] WGLC: DANE-SRV Stephen Farrell
- Re: [dane] WGLC: DANE-SRV Peter Saint-Andre - &yet
- Re: [dane] WGLC: DANE-SRV (Abstract and introduct… Michael J. Sheldon
- Re: [dane] WGLC: DANE-SRV (Abstract and introduct… Viktor Dukhovni
- [dane] WGLC: DANE-SRV (Terminology and "SRV Query… Viktor Dukhovni
- [dane] WGLC: DANE-SRV ("Address Queries" and "TLS… Viktor Dukhovni
- [dane] WGLC: DANE-SRV feedback on 3.4 through res… Viktor Dukhovni