[dane] AD review of draft-ietf-dane-smime-14
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 07 February 2017 16:13 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F63B129CFD for <dane@ietfa.amsl.com>; Tue, 7 Feb 2017 08:13:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uQkpT3mSUqcP for <dane@ietfa.amsl.com>; Tue, 7 Feb 2017 08:13:04 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57F28129D07 for <dane@ietf.org>; Tue, 7 Feb 2017 08:13:02 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 3DD80BE56 for <dane@ietf.org>; Tue, 7 Feb 2017 16:13:00 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2nGIg-aFxNhE for <dane@ietf.org>; Tue, 7 Feb 2017 16:12:58 +0000 (GMT)
Received: from [10.87.48.75] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 433BEBE53 for <dane@ietf.org>; Tue, 7 Feb 2017 16:12:58 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1486483978; bh=hqX8itqGlRV+vs952aqYSROvuICRvLIWB2C2saQxmxM=; h=To:From:Subject:Date:From; b=zPePful6Ejr/Kc034cvqegvtU1H7SLsRaRk4QYP0g9tH1Qyj98fhSgJl0FvSTttFu PmO4aVNO1dVaGQiPpXqmitDDiuyalP3IBqGgAGZ/iPp/JdkRB0mo6xf3HSZJHTPMv8 4f4Y++814YtXv2uEEl2wjBSCYc19Kb8SZckj7aw0=
To: dane <dane@ietf.org>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <88918ddd-35c5-6759-5311-0f3e8f45be33@cs.tcd.ie>
Date: Tue, 07 Feb 2017 16:12:57 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms090302080509070104080403"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/K5JAFTIwRIxkQcKraY-L44IJD4I>
Subject: [dane] AD review of draft-ietf-dane-smime-14
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2017 16:13:06 -0000
Hi, I've done my AD review of this draft. My own comments on the content are below (the one I'd most like to see fixed is the "escrow" stuff) and are ok to be handled along with other IETF LC comments. However, before I start IETF LC I would like to be sure that the WG are ok with the IPR declaration [1] filed in 2014 that said "Licensing Declaration to be Provided Later." I think 2017 is "later" enough to ask whether that the WG (via the chairs) explicitly declare that they are ok that this has yet to be clarified. Cheers, S. [1] https://datatracker.ietf.org/ipr/2468/ - abstract: Someone will want DANE expanded. Better to avoid the acronym maybe. - intro: "Some people want..." is odd - that is not a technical justification and the entire paragraph is not that convincing. I'd say deleting that para would be better. Or add a real justification for the experiment which I think relates more to attempting to mitigate the difficulty of finding certs from outside the enterprise than anything else. - intro: I'd suggest adding a sentence about how this is similar to RFC7929. As a reader, I'd find it odd to only find that out later. - section 3: This is the same idea as in RFC 7929 right? (Other than _smimecert I mean,) If so then saying so is right as it'll help with IETF LC and IESG review and for developers. If those differ, then saying how and why I think would be needed. - section 4: Please check whether this is all fine when also considering draft-ietf-lamps-eai-addresses (also in IETF LC). That check may need to wait a little bit until we're done with the LC comment handling for the LAMPS deraft. - Section 9: the discussion of an MTA doing the outbound encryption seems a bit theoretical - I don't recall that being dnoe in reality except maybe in very special cases like nested smime, or military messaging. Am I wrong about that? - section 9: I think the text about escrow would be better after the current last para (where you call out the danger of bad public keys being put in the DNS), and this (escrow) ought be described as a special case of that attack, where the attacker is the organisation itself. (While there are cases where the organisation doing this is not intended as an attack, were it done for most DNS names, it would mostly be an attack, and is not distinguishable from an attack for the sender, so therefore it ought IMO be considered an attack.) - section 9: s/MUST not/MUST NOT/ or I-D nits complains - section 11: I-D nits complains, maybe calling this "normative references" would help, but in any case, please consider/fix this.
- [dane] AD review of draft-ietf-dane-smime-14 Stephen Farrell
- Re: [dane] AD review of draft-ietf-dane-smime-14 Paul Wouters
- Re: [dane] AD review of draft-ietf-dane-smime-14 John Levine
- Re: [dane] AD review of draft-ietf-dane-smime-14 Paul Wouters
- Re: [dane] AD review of draft-ietf-dane-smime-14 Stephen Farrell
- Re: [dane] AD review of draft-ietf-dane-smime-14 John Levine
- Re: [dane] AD review of draft-ietf-dane-smime-14 Marc Groeneweg
- Re: [dane] AD review of draft-ietf-dane-smime-14 Warren Kumari
- Re: [dane] AD review of draft-ietf-dane-smime-14 Stephen Farrell
- Re: [dane] AD review of draft-ietf-dane-smime-14 Warren Kumari
- [dane] free wasRe: AD review of draft-ietf-dane-s… D S Misell
- [dane] free for use was Re: AD review of draft-ie… D S Misell
- Re: [dane] AD review of draft-ietf-dane-smime-14 Warren Kumari
- Re: [dane] AD review of draft-ietf-dane-smime-14 Paul Hoffman
- Re: [dane] AD review of draft-ietf-dane-smime-14 Stephen Farrell
- Re: [dane] AD review of draft-ietf-dane-smime-14 Stephen Farrell
- Re: [dane] AD review of draft-ietf-dane-smime-14 Warren Kumari