[dane] WGLC: DANE-SRV feedback on 3.4 through rest of document.

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 14 December 2014 23:44 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9D581A0161 for <dane@ietfa.amsl.com>; Sun, 14 Dec 2014 15:44:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qgxq4mehom1s for <dane@ietfa.amsl.com>; Sun, 14 Dec 2014 15:44:50 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 149971A0217 for <dane@ietf.org>; Sun, 14 Dec 2014 15:44:49 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 72C7B284AD5; Sun, 14 Dec 2014 23:44:48 +0000 (UTC)
Date: Sun, 14 Dec 2014 23:44:48 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
Sender: dane <dane-bounces@ietf.org>
To: dane@ietf.org
Message-ID: <20141214234448.GK25666@mournblade.imrryr.org>
References: <20141201013357.GF285@mournblade.imrryr.org> <547BC8F9.1070605@andyet.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <547BC8F9.1070605@andyet.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/JBU3l9-pBLSQ-VCPvrmK9ALI2eI
Subject: [dane] WGLC: DANE-SRV feedback on 3.4 through rest of document.
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Dec 2014 23:44:51 -0000

[ I'm splitting it into a few messages to keep it manageable, and
  in any case some of my comments are still pencil marks on a
  print-out, not yet transcribed. ]

This message covers 3.4 through the end of the document.

General comment (copied verbatim from abstract and introduction
feedback):

    The draft frequently talks about "hostnames", where what is
    really meant is a transport endpoint (port, transport protocol,
    host).  With PKIX-EE or DANE-EE certificate usages, TLSA records
    are more precise than the Web PKI and can associate different,
    non-interchangeable key material with distinct services on a
    single host.  So in many places I will be suggesting replacing
    statements about "hostnames" with statements about "transport
    endpoints".

3.4. Impact on TLS Usage

   First bullet:

	s/under 4/in 4/

   Third bullet:

	s/If the TLSA response is "bogus" or "indeterminate"/If the TLSA lookup fails/

   perhaps noting that a "secure" or "insecure" NXDOMAIN is not a failure (as in DNS
   error section of SMTP draft).

4.1. SRV records only

  Second paragraph:

    Also mention here that 6125 and reference identifiers don't apply
    with DANE-EE(3) (some folks may not read as far as 4.2)

4.2 TLSA Records:

  The SMTP and OPS drafts have "toned down" the degree to which the
  content of DANE-EE(3) certs is ignored, specifically only the
  hostname and expiration are superseded by DNSSEC.  Other features
  of the certificate (key usage, ...) may still be taken into account.

Material after section 4 is largely fine.

  * Please update smtp-with-dane reference from -05 to -13.

  * Should he XMPP example SRV record really be "_xmpp-client",
    or instead "_xmpp-server"?  Not familiar with XMPP, so please
    pardon my confusion if that's what it is.

-- 
	Viktor.