Re: [dane] DANE Client Authentication draft updated

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 12 January 2016 23:32 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53EAA1A9060 for <dane@ietfa.amsl.com>; Tue, 12 Jan 2016 15:32:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dg1CtZYIXIbH for <dane@ietfa.amsl.com>; Tue, 12 Jan 2016 15:32:37 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA58B1A9067 for <dane@ietf.org>; Tue, 12 Jan 2016 15:32:36 -0800 (PST)
Received: from [172.31.24.203] (gzac12-mdf2-1.aoa.twosigma.com [208.77.215.155]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id CD57F284809 for <dane@ietf.org>; Tue, 12 Jan 2016 23:32:35 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CAHPuVdXYWoD5bZubAu5pEe18sfr69Nat=gp_7iagcVrAgTkY=g@mail.gmail.com>
Date: Tue, 12 Jan 2016 18:32:34 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <D54280D8-26E8-49C3-B43A-C9134D8FF2B2@dukhovni.org>
References: <CAHPuVdXb3HJfxayJbAqjYu4aYrHaJgeSrAVJ1GcnL863-6g7-Q@mail.gmail.com> <m3ziwa8sww.fsf@carbon.jhcloos.org> <CAHPuVdXYWoD5bZubAu5pEe18sfr69Nat=gp_7iagcVrAgTkY=g@mail.gmail.com>
To: dane@ietf.org
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/L1foEiANBCmG3FautwU68MciaXE>
Subject: Re: [dane] DANE Client Authentication draft updated
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2016 23:32:38 -0000

> On Jan 12, 2016, at 5:21 PM, Shumon Huque <shuque@gmail.com> wrote:
> 
> On the "_smtp-client" label choice, I had originally used just "_smtp", but
> a colleague more plugged into IANA service name registration procedures
> advised me that I should choose a different client specific label. The
> "_smtp" label is a server side label with an associated server side port,
> and that reusing that label for a client identifier would elicit objections.
> 

The reason I talked you out of it, is that I wanted the query-domain for
client TLSA records to be the same as the SRV-ID.  Injecting a sub-domain
makes it more difficult to use the names in question if SRV-ID is
what's in the certificate.

Using the SRV-ID as the query domains is not an absolute requirement, but
it is a simplification that should not be discard too lightly.  Trade-off
judgement call...

-- 
	Viktor.