Re: [dane] Compressed Call for Adoption: draft-gilmore-dane-rawkeys-00
John Gilmore <gnu@toad.com> Mon, 23 June 2014 17:58 UTC
Return-Path: <gnu@toad.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19F081B27CD for <dane@ietfa.amsl.com>; Mon, 23 Jun 2014 10:58:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.598
X-Spam-Level: *
X-Spam-Status: No, score=1.598 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_BRBL_LASTEXT=1.449, RP_MATCHES_RCVD=-0.651] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uN3OB8_ivXpQ for <dane@ietfa.amsl.com>; Mon, 23 Jun 2014 10:58:17 -0700 (PDT)
Received: from new.toad.com (new.toad.com [209.237.225.253]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BD251B29C9 for <dane@ietf.org>; Mon, 23 Jun 2014 10:58:14 -0700 (PDT)
Received: from new.toad.com (localhost.localdomain [127.0.0.1]) by new.toad.com (8.12.9/8.12.9) with ESMTP id s5NHwAeo028474 for <dane@ietf.org>; Mon, 23 Jun 2014 10:58:10 -0700
Message-Id: <201406231758.s5NHwAeo028474@new.toad.com>
To: dane@ietf.org
In-reply-to: <20140623173434.GK17723@mournblade.imrryr.org>
References: <CAHw9_i+EtVskqkT1V9V_bvPOCpGdZpz4-Vr4ME_DiC7EvxVQwg@mail.gmail.com> <20140623150158.GE17723@mournblade.imrryr.org> <alpine.LFD.2.10.1406231151000.31024@bofh.nohats.ca> <20140623173434.GK17723@mournblade.imrryr.org>
Comments: In-reply-to Viktor Dukhovni <viktor1dane@dukhovni.org> message dated "Mon, 23 Jun 2014 17:34:34 -0000."
Date: Mon, 23 Jun 2014 10:58:10 -0700
From: John Gilmore <gnu@toad.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/WSfgpsEnHdY1a1S18xUNPbM9iuM
Subject: Re: [dane] Compressed Call for Adoption: draft-gilmore-dane-rawkeys-00
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jun 2014 17:58:20 -0000
> So if the scope of RFC 6698 is not TLS, is it just any application > where the 6698 RRDATA format seems to be useful? "What is the scope of the TLSA record?" is a great question to ask ourselves. (We may not ultimately need to answer it clearly; we may agree to hold different opinions.) My goals in the draft were, first, to enable the use of DNSSEC/DANE with TLS raw public keys; second, to repeal the statements in RFC 6698 that prevent the use of the TLSA record with keys that aren't in PKIX certificates. I only took on the second goal because it was required to enable the first goal. But once we have opened the door to raw public keys for TLS (at port numbers where TLS is used), I saw no reason to add restrictive language preventing anyone from using raw public keys at other ports or for other protocols. The name-prefixed design of the TLSA record tends to prevent such other uses from causing any problems to its main use with TLS. I see the goal of IETF standards as enabling interoperability. Where restrictions on user choices are needed to enable interoperability, we restrict them (e.g. with MUSTs or MUST NOTs). Where interoperability is not threatened, we need not and should not restrict users to only the usages and protocols that we have in mind today. > So for example, would it apply to publishing KDC public keys for > cross-realm pkinit? Does it matter whether the lookup key for the > RRDATA would likely not be "_port._proto.domain", or would that > make the Kerberos cross-realm key use-case fall outside this update > to 6698. In other words does the new draft only apply to some > kind of transport layer security (lower case to distinguish from > TLS) where the end-point identity is necessarily _port._proto, > with with a TLSA-like RRDATA format? When I was working on Kerberos many years ago, the KDC was running on a particular, standardized port (UDP port 88). So it probably would fit into the TLSA scheme at _88._udp.example.com if we wanted it to. A larger issue with Kerberos at that time was the protocol's insistence that Kerberos "realms" are not "domain names". To emphasize that distinction, the Kerberos documentation and common usage tended to make realms names UPPERCASE. At the time, that seemed to me to be a relatively useless distinction, but I was a newcomer to Kerberos. At Cygnus, we evolved the Kerberos software such that if you chose to make your realm name match your domain name, the software would do useful things by default, that would require pre-configuration if your realm name did not match your domain name. I do not know if that usage has caught on. In the Raw Public Keys draft, I had no intent to change the TLSA requirement for a _port._proto prefix, so if Kerberos realm authentication with TLSA ultimately ends up requiring such a change, the future DANE Kerberos draft itself will probably have to relax that requirement. John
- [dane] Compressed Call for Adoption: draft-gilmor… Warren Kumari
- Re: [dane] Compressed Call for Adoption: draft-gi… Peter Koch
- Re: [dane] Compressed Call for Adoption: draft-gi… Viktor Dukhovni
- Re: [dane] Compressed Call for Adoption: draft-gi… Paul Wouters
- Re: [dane] Compressed Call for Adoption: draft-gi… Paul Wouters
- Re: [dane] Compressed Call for Adoption: draft-gi… James Cloos
- Re: [dane] Compressed Call for Adoption: draft-gi… Viktor Dukhovni
- Re: [dane] Compressed Call for Adoption: draft-gi… John Gilmore
- Re: [dane] Compressed Call for Adoption: draft-gi… Martin Rex
- Re: [dane] Compressed Call for Adoption: draft-gi… Viktor Dukhovni
- Re: [dane] Compressed Call for Adoption: draft-gi… Martin Rex
- Re: [dane] Compressed Call for Adoption: draft-gi… Viktor Dukhovni
- Re: [dane] Compressed Call for Adoption: draft-gi… Martin Rex
- Re: [dane] Compressed Call for Adoption: draft-gi… Viktor Dukhovni
- Re: [dane] Compressed Call for Adoption: draft-gi… Paul Hoffman
- Re: [dane] Compressed Call for Adoption: draft-gi… Paul Hoffman
- Re: [dane] Compressed Call for Adoption: draft-gi… John Gilmore
- Re: [dane] Compressed Call for Adoption: draft-gi… James Cloos
- Re: [dane] Compressed Call for Adoption: draft-gi… Tom Gindin
- Re: [dane] Compressed Call for Adoption: draft-gi… Paul Hoffman
- Re: [dane] Compressed Call for Adoption: draft-gi… Viktor Dukhovni
- Re: [dane] Compressed Call for Adoption: draft-gi… Paul Hoffman
- Re: [dane] Compressed Call for Adoption: draft-gi… Michael Richardson
- Re: [dane] Compressed Call for Adoption: draft-gi… Michael Richardson
- Re: [dane] Compressed Call for Adoption: draft-gi… Viktor Dukhovni
- Re: [dane] Compressed Call for Adoption: draft-gi… James Cloos
- Re: [dane] Compressed Call for Adoption: draft-gi… Paul Wouters
- Re: [dane] Compressed Call for Adoption: draft-gi… Paul Wouters
- Re: [dane] Compressed Call for Adoption: draft-gi… Sean Turner
- Re: [dane] Compressed Call for Adoption: draft-gi… Warren Kumari