Re: [dane] Digest Algorithm Agility discussion

Paul Wouters <paul@cypherpunks.ca> Mon, 17 March 2014 18:46 UTC

Return-Path: <paul@cypherpunks.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 827B11A0455 for <dane@ietfa.amsl.com>; Mon, 17 Mar 2014 11:46:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xFkQZy2QDzyr for <dane@ietfa.amsl.com>; Mon, 17 Mar 2014 11:46:51 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id EDAC61A042F for <dane@ietf.org>; Mon, 17 Mar 2014 11:46:50 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 40A57800AA for <dane@ietf.org>; Mon, 17 Mar 2014 14:46:42 -0400 (EDT)
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s2HIkfsj014502 for <dane@ietf.org>; Mon, 17 Mar 2014 14:46:42 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Mon, 17 Mar 2014 14:46:41 -0400 (EDT)
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: dane WG list <dane@ietf.org>
In-Reply-To: <20140317182219.GF24183@mournblade.imrryr.org>
Message-ID: <alpine.LFD.2.10.1403171440540.32251@bofh.nohats.ca>
References: <20140315051704.GY21390@mournblade.imrryr.org> <alpine.LFD.2.10.1403171115580.32251@bofh.nohats.ca> <20140317155049.GB24183@mournblade.imrryr.org> <B4473EDA-DAB4-4CC2-ACCD-B4F8939E5A2C@vpnc.org> <20140317174423.GE24183@mournblade.imrryr.org> <040FB71F-BD97-44A2-A600-B6E69FBD1EE5@vpnc.org> <20140317182219.GF24183@mournblade.imrryr.org>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/JhZ-jFLJ6dulWLD4wIaG9FsSRwg
Subject: Re: [dane] Digest Algorithm Agility discussion
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2014 18:46:53 -0000

On Mon, 17 Mar 2014, Viktor Dukhovni wrote:

> This is not "use strongest".  This is the opposite.  It forces the
> use of tarnished, but still acceptable digests even when untarnished
> digests are present.  The new proposal is to ignore all but the
> strongest, even when the remainder would be usable.
>
> Also the pseudo-code in the appendices loops over *all* "usable" TLSA
> RRs (those not banned by 4.1).

Okay, I understand your point now. The text in 6698 is indeed doing some
half weird local policy client dictation that it should not have done.


> My proposal modifies the pseudo-code
> to loop over only those records (for each usage/selector) with the
> strongest digest plus any records with matching type 0.

So I agree with you that is the right approach. I am not sure if I
agree that we should try and write that into an RFC other than
"according to local policy".

but the text should clearly not be like 6698, that would technically
violate the RFC if your method of local policy is implemented.

Paul