IETF Logo Mail Archive

[dane] AD review of draft-ietf-dane-smime-14

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 07 February 2017 16:13 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F63B129CFD for <dane@ietfa.amsl.com>; Tue, 7 Feb 2017 08:13:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uQkpT3mSUqcP for <dane@ietfa.amsl.com>; Tue, 7 Feb 2017 08:13:04 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57F28129D07 for <dane@ietf.org>; Tue, 7 Feb 2017 08:13:02 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 3DD80BE56 for <dane@ietf.org>; Tue, 7 Feb 2017 16:13:00 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2nGIg-aFxNhE for <dane@ietf.org>; Tue, 7 Feb 2017 16:12:58 +0000 (GMT)
Received: from [10.87.48.75] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 433BEBE53 for <dane@ietf.org>; Tue, 7 Feb 2017 16:12:58 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1486483978; bh=hqX8itqGlRV+vs952aqYSROvuICRvLIWB2C2saQxmxM=; h=To:From:Subject:Date:From; b=zPePful6Ejr/Kc034cvqegvtU1H7SLsRaRk4QYP0g9tH1Qyj98fhSgJl0FvSTttFu PmO4aVNO1dVaGQiPpXqmitDDiuyalP3IBqGgAGZ/iPp/JdkRB0mo6xf3HSZJHTPMv8 4f4Y++814YtXv2uEEl2wjBSCYc19Kb8SZckj7aw0=
To: dane <dane@ietf.org>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <88918ddd-35c5-6759-5311-0f3e8f45be33@cs.tcd.ie>
Date: Tue, 07 Feb 2017 16:12:57 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms090302080509070104080403"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/K5JAFTIwRIxkQcKraY-L44IJD4I>
Subject: [dane] AD review of draft-ietf-dane-smime-14
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2017 16:13:06 -0000

Hi,

I've done my AD review of this draft. My own comments
on the content are below (the one I'd most like to
see fixed is the "escrow" stuff) and are ok to be
handled along with other IETF LC comments.

However, before I start IETF LC I would like to be
sure that the WG are ok with the IPR declaration [1]
filed in 2014 that said "Licensing Declaration to
be Provided Later." I think 2017 is "later" enough
to ask whether that the WG (via the chairs) explicitly
declare that they are ok that this has yet to be
clarified.

Cheers,
S.

[1] https://datatracker.ietf.org/ipr/2468/

- abstract: Someone will want DANE expanded. Better to avoid
the acronym maybe.

- intro: "Some people want..." is odd - that is not a
technical justification and the entire paragraph is not that
convincing.  I'd say deleting that para would be better. Or
add a real justification for the experiment which I think
relates more to attempting to mitigate the difficulty of
finding certs from outside the enterprise than anything else.

- intro: I'd suggest adding a sentence about how this is
similar to RFC7929. As a reader, I'd find it odd to only find
that out later.

- section 3: This is the same idea as in RFC 7929 right?
(Other than _smimecert I mean,) If so then saying so is right
as it'll help with IETF LC and IESG review and for
developers. If those differ, then saying how and why I think
would be needed.

- section 4: Please check whether this is all fine when also
considering draft-ietf-lamps-eai-addresses (also in IETF LC).
That check may need to wait a little bit until we're done
with the LC comment handling for the LAMPS deraft.

- Section 9: the discussion of an MTA doing the outbound
encryption seems a bit theoretical - I don't recall that
being dnoe in reality except maybe in very special cases like
nested smime, or military messaging. Am I wrong about that?

- section 9: I think the text about escrow would be better
after the current last para (where you call out the danger of
bad public keys being put in the DNS), and this (escrow)
ought be described as a special case of that attack, where
the attacker is the organisation itself. (While there are
cases where the organisation doing this is not intended as an
attack, were it done for most DNS names, it would mostly be
an attack, and is not distinguishable from an attack for the
sender, so therefore it ought IMO be considered an attack.)

- section 9: s/MUST not/MUST NOT/ or I-D nits complains

- section 11: I-D nits complains, maybe calling this
"normative references" would help, but in any case, please
consider/fix this.

v2.23.0 | Report a Bug | By Email