IETF Logo Mail Archive

Re: [dane] DANE Client Authentication draft updated

Shumon Huque <shuque@gmail.com> Wed, 13 January 2016 01:47 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2E871B2B8B for <dane@ietfa.amsl.com>; Tue, 12 Jan 2016 17:47:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3jnpV_4fiL9E for <dane@ietfa.amsl.com>; Tue, 12 Jan 2016 17:47:22 -0800 (PST)
Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17E281B2B89 for <dane@ietf.org>; Tue, 12 Jan 2016 17:47:22 -0800 (PST)
Received: by mail-qk0-x234.google.com with SMTP id t64so30190170qke.1 for <dane@ietf.org>; Tue, 12 Jan 2016 17:47:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=zvTUkxacmZy0ghWZl3mU5cyPFOdA5ltQRD+UnCvO9IM=; b=t1ByhSMMiFONpaPviwLWqTwObIlUPCjviofIF499WtyzmzZ26LBA03Xbh8qocNibfG CyidZzFLU5zu582IuTfIXGx8h7Zofh1yZpV7kiGyKzNSG8gbMPqpAWHaEvQyKRf5tJeM 966lQmpAsI0CykBWA5XULEMLpLRXK9NsJgHIB6dzUpi5nQdsLVf7whY4y02/taYNqPlr FiwYU69MV+BsNEFjSm0a0cepYb8epxisWmYgN8cIc8dyE01L7BotHnlzJfTgqHAH1oiG QdvJSDOs6u2UZepjLPTpTtBu2JA+efHY4TkZnI56sWmzY284lYESGjnOjOPjZl0IRQtk Nlag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=zvTUkxacmZy0ghWZl3mU5cyPFOdA5ltQRD+UnCvO9IM=; b=Nj9+q4MdpG+ZOZuUZmmMVZ7BFIHwsq818TkhDN5DFewfzVKrJG40I0LewPCs5BgwEZ 8AzRbLDObSthxeKSe6iuviLoOWhrXIIacxD3DHmttuILd36RQn5xszEDJg0gJKDQTvfr mzg7L8V1p1S8hPCRtK26zU4fREZeGiF1g4lbggQ57yIWb7p9nnfXlMmlYMhrwHbD9+ah dAw7WRfFzhYtDhoJebDBZsjqUM6gRkf4EFWnXTVdfze6JoKZusKZgKLMYyfBZAfPPcbn i+fuV0QPiHIVqErP7Q16Y/ofZSOYBzxUD0FrP13OBL8PEueXxrzRilGhA6YQXRmMOyXn llxw==
X-Gm-Message-State: ALoCoQl6DydswVssvXuMcYOGpl1ccQQWN4dVxpQYIL890xSG3JyYbZzD9jJ72OQpfTdliIuS+X+ZAw7Kh+V3/IG//KTLGJjKuw==
MIME-Version: 1.0
X-Received: by 10.55.31.228 with SMTP id n97mr27714101qkh.72.1452649641281; Tue, 12 Jan 2016 17:47:21 -0800 (PST)
Received: by 10.140.102.9 with HTTP; Tue, 12 Jan 2016 17:47:21 -0800 (PST)
In-Reply-To: <D54280D8-26E8-49C3-B43A-C9134D8FF2B2@dukhovni.org>
References: <CAHPuVdXb3HJfxayJbAqjYu4aYrHaJgeSrAVJ1GcnL863-6g7-Q@mail.gmail.com> <m3ziwa8sww.fsf@carbon.jhcloos.org> <CAHPuVdXYWoD5bZubAu5pEe18sfr69Nat=gp_7iagcVrAgTkY=g@mail.gmail.com> <D54280D8-26E8-49C3-B43A-C9134D8FF2B2@dukhovni.org>
Date: Tue, 12 Jan 2016 20:47:21 -0500
Message-ID: <CAHPuVdWSGoGWksMRQWWmOTu3PJavER2vCom4xcaJ9VibSspmDQ@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
To: "<dane@ietf.org>" <dane@ietf.org>
Content-Type: multipart/alternative; boundary="001a11478dacda1cf005292d5950"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/TZY6Ainmy4lqlClbga8cuL6yS88>
Subject: Re: [dane] DANE Client Authentication draft updated
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 01:47:23 -0000

On Tue, Jan 12, 2016 at 6:32 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

>
> > On Jan 12, 2016, at 5:21 PM, Shumon Huque <shuque@gmail.com> wrote:
> >
> > On the "_smtp-client" label choice, I had originally used just "_smtp",
> but
> > a colleague more plugged into IANA service name registration procedures
> > advised me that I should choose a different client specific label. The
> > "_smtp" label is a server side label with an associated server side port,
> > and that reusing that label for a client identifier would elicit
> objections.
> >
>
> The reason I talked you out of it, is that I wanted the query-domain for
> client TLSA records to be the same as the SRV-ID.  Injecting a sub-domain
> makes it more difficult to use the names in question if SRV-ID is
> what's in the certificate.
>
> Using the SRV-ID as the query domains is not an absolute requirement, but
> it is a simplification that should not be discard too lightly.  Trade-off
> judgement call...
>

Ah yes, thanks for reminding me. I agree this is a useful rationale for
keeping
the form the way that it is.

-- 
Shumon Huque

v2.23.0 | Report a Bug | By Email