IETF Logo Mail Archive

Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt

Paul Wouters <paul@nohats.ca> Mon, 25 July 2016 13:33 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF9B412D12E for <dane@ietfa.amsl.com>; Mon, 25 Jul 2016 06:33:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.287
X-Spam-Level:
X-Spam-Status: No, score=-3.287 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wzAlWQHc9a_w for <dane@ietfa.amsl.com>; Mon, 25 Jul 2016 06:33:25 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C82D12B015 for <dane@ietf.org>; Mon, 25 Jul 2016 06:33:25 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3ryhz61YtPz3SS; Mon, 25 Jul 2016 15:33:22 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1469453602; bh=xJbR4gJjKNZFH2tj2/k6Dg0p8/IPxMjcqFPW9BxVkGs=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=tbYqu7vgxZ3v5+T/q+WigFytS5jCWwF+4kyA8H1OtXtVEdWfBofNJMTpuHpxSTbL5 MJexUq71cVKwslbiRLzHHqdtfhCuUPYhYJc6zbBHQRMFWEL2brAMfFZiEKJaErMS4J rR++VC6iEgWu6uuWjoUr2fgkEDnA6U8lwKw6sFno=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 16e1dLJQPDv3; Mon, 25 Jul 2016 15:33:20 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 25 Jul 2016 15:33:20 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 3FC01393D69; Mon, 25 Jul 2016 09:33:19 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 3FC01393D69
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 2C9FE415FC87; Mon, 25 Jul 2016 09:33:19 -0400 (EDT)
Date: Mon, 25 Jul 2016 09:33:18 -0400
From: Paul Wouters <paul@nohats.ca>
To: Warren Kumari <warren@kumari.net>
In-Reply-To: <CAHw9_i+2wGPgKk9oKJLH+ZF-5pztPMeDv+4=SXP5qgM1-PH7fw@mail.gmail.com>
Message-ID: <alpine.LRH.2.20.1607250908430.18124@bofh.nohats.ca>
References: <F7B890A0-6A67-41C0-B46A-831EC55452D3@ogud.com> <CAHw9_i+2wGPgKk9oKJLH+ZF-5pztPMeDv+4=SXP5qgM1-PH7fw@mail.gmail.com>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/M1astzaO7QoPMl9-6Ud_x6bPlok>
Cc: dane WG list <dane@ietf.org>
Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2016 13:33:27 -0000

On Sun, 24 Jul 2016, Warren Kumari wrote:

> A reminder that this WGLC closes tomorrow -- so far we have not really
> seen sufficient feedback on this document. PLEASE review this document
> and provide comment.

I have reviewed the document. I think it is ready for IETF LC but it
could see a few small changes:

It should probably update its reference in the introduction to list
soon to be RFC-7929 (openpgpkey) and wait on that doc (in AUTH48 now)
to go out first.

 	The SMIMEA resource record has no special TTL requirements.

During openpgpkey discussion, it was decided it was better to remove
this line. I would think the same applies to smime.

During openpgpkey discussion, people insisted on specifying the
"experimental goal" of the Experimental RFC. That section is missing
in this document.

Section 3's title is a bit long. In openpgpkey we used a shorter
title. I suggest "Location of the SMIMEA record".

The openpgpkey had updated the "tcp only" phrasing to make it more
layer agnostic and mentions DNS-COOKIES as a defense and method to
allow UDP. You might want to consider using the same approach instead
of banning UDP altogether.

> I also wanted to make sure people (including the authors) had seen:
> https://www.ietf.org/mail-archive/web/dane/current/msg08382.html

This has come up in the past when discussing SMIME. One suggestion was
to use a different prefix (like _encrypt. and _sign). When this was
brought up, the patent status of this was not entirely clear, and there
were privacy discussions raised on exposing queries to the purpose of
the query. Perhaps the document can state that if the certificate is
obtained via SMIMEA, it should be checked whether it is suitable for
the task to perform. And that publishers are encouraged to publish
SMIMEA records for certificates that allow both signing and encryption.
But this latter approach did not have a clear consensus.

Paul

> W
>
> On Sat, Jul 9, 2016 at 12:53 PM, Olafur Gudmundsson <ogud@ogud.com> wrote:
>>
>> Dear Colleagues
>>
>> The editors of https://datatracker.ietf.org/doc/draft-ietf-dane-smime/ have
>> requested a WGLC,
>> the chairs are satisfied that the document is in good shape. This message
>> starts a three week WG LC,
>> that concludes on Monday July 25 23:59 UTC (we have extended the
>> usual 2 weeks because of the upcoming meeting, travel, etc).
>>
>> This document is on the Experimental track, it is a close relative of a
>> prior document from our group
>> https://datatracker.ietf.org/doc/draft-ietf-dane-openpgpkey/  which is in
>> AUTH-48 at this point.
>> Any discussions on “local part” other than to point out a difference between
>> the OPENPGP document and this one are
>> out of scope.
>>
>> Any other issues should be brought forward
>>
>> thanks
>>   Olafur & Warren
>>
>> _______________________________________________
>> dane mailing list
>> dane@ietf.org
>> https://www.ietf.org/mailman/listinfo/dane
>>
>
>
>
> -- 
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>   ---maf
>
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
>

v2.23.0 | Report a Bug | By Email