Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt (chair guidance request)
Warren Kumari <warren@kumari.net> Tue, 26 May 2015 00:32 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2128A1A1A55 for <dane@ietfa.amsl.com>; Mon, 25 May 2015 17:32:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.079
X-Spam-Level:
X-Spam-Status: No, score=-0.079 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qK2leBIVnuFm for <dane@ietfa.amsl.com>; Mon, 25 May 2015 17:32:10 -0700 (PDT)
Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F3AC1A1A34 for <dane@ietf.org>; Mon, 25 May 2015 17:32:10 -0700 (PDT)
Received: by wifw1 with SMTP id w1so11774142wif.0 for <dane@ietf.org>; Mon, 25 May 2015 17:32:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=Ldso9i8ZALmuwro8M7sA4n2A00cjCT2w8l/Ky68k2hc=; b=QX2I463uzQKsvsW8dOBr5EJrK46zytUw6eZFff41OcELZtBeaJjldmVXgSFJR7Fkr7 DsxdLX5HYrYNFV3H395RFGd14Qsr+lLijUkQCGgMD2ah4Q4r9TDyGpERcxwlHBkwC1my yC1hulbTaWqFq4zHp4v622rftK997xbgFoCTbHHC9ETRX3CcSy9Zepallt6LwqBqTKKN sMZqakgmzqVbBPbeI627vYC6On00f6+2IRjsB285r53TkvmJOMxWxfgyCNm26cPQzT97 33eoC1JSeF2bVOuJf2je5hzTrTIxc6Ri+KmMJ/jWejV8BZgRUFCUWWTNWo4SIXjErO0Q dxcA==
X-Gm-Message-State: ALoCoQnTAnJqtiX51XPzwMIFM4HIrwNnnVtlnSEqmyQWpfolzSSTUqlh2oo/UU+fH8D9zIKqUqd7
MIME-Version: 1.0
X-Received: by 10.194.216.196 with SMTP id os4mr44412937wjc.117.1432600328308; Mon, 25 May 2015 17:32:08 -0700 (PDT)
Received: by 10.194.47.36 with HTTP; Mon, 25 May 2015 17:32:08 -0700 (PDT)
In-Reply-To: <CAHw9_iJUsgAh6v9K6EAoT_FJk60pyc14Ks=FA7wtM91bEDTtwQ@mail.gmail.com>
References: <20150513182627.9918.67542.idtracker@ietfa.amsl.com> <20150513183614.GC17272@mournblade.imrryr.org> <201505140015.t4E0F35B026773@new.toad.com> <20150514010741.GI17272@mournblade.imrryr.org> <20150514050948.GL17272@mournblade.imrryr.org> <1431596694.3274731.268516193.7C170F5C@webmail.messagingengine.com> <20150515060332.GX17272@mournblade.imrryr.org> <20150516054211.GF17272@mournblade.imrryr.org> <CAHw9_iLJ5QhLRgmNT-gZxRh_C_37zMDmo3KSR6Ny6ASw6H0+6g@mail.gmail.com> <20150521222428.GL17272@mournblade.imrryr.org> <CAHw9_iJUsgAh6v9K6EAoT_FJk60pyc14Ks=FA7wtM91bEDTtwQ@mail.gmail.com>
Date: Mon, 25 May 2015 20:32:08 -0400
Message-ID: <CAHw9_iJQMFUETmHUSG-LQnxLcRjdj5zc05KNA4cQ4FfQmtk+zQ@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: "<dane@ietf.org>" <dane@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/XXRsT2EjO88RjxHjt4lbOTUO7Uw>
Subject: Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt (chair guidance request)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 00:32:13 -0000
On Fri, May 22, 2015 at 1:34 PM, Warren Kumari <warren@kumari.net> wrote: > On Thu, May 21, 2015 at 6:24 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: >> On Thu, May 21, 2015 at 04:08:35PM -0400, Warren Kumari wrote: >> >>> > With Section 9 ideally no longer under a cloud of uncertainty, >>> > we would also update section 12: >>> >>> We have heard nothing from the working group saying that they are >>> unhappy with the new section 9, and it seems clear. >> >> And yet the language is somewhat muddy and repetitive, and confused >> at least John Gilmore about what it was trying to say. Furthermore >> Section 12 disclaims consensus, but I think we should reach concensus >> on digest agility (if we have not yet). >> >>> The Working Group reviewed this document, and we called consensus on >>> it (and then waited a bit to see if anyone came out of the woodwork, >>> looking sad), and so I believe that this *does* have WG consensus, and >>> so the [Note:...] can be removed. >> >> Thanks. I'll remove the note, but I would very much like to improve >> the clarity of the section 9 text (without changing the technical >> content). I have such an update queued-up. How might we proceed >> to adopt it? > > > Does anyone have any useful clarity improvement suggestions? > We'll wait until 12:00PM UTC on Wednesday (20:00ET), otherwise we'll > go ahead with the text as written, and ask Viktor to include it. <no hats> ... I have some very small grammar / readability suggestions. Take them if you like them, or ignore if you don't.... ------ <t> While <xref target="RFC6698"/> specifies multiple digest algorithms, it does not specify a protocol by which the client and TLSA record publisher can agree on the strongest shared algorithm. Such a protocol allows the client and server to avoid exposure to [O]: Such a protocol allows the client and server [P]: Such a protocol would allow the client and server [C]: We haven't specified the protocol yet, so different tense for readability. deprecated weaker algorithms that are published for compatibility with less capable clients, but which SHOULD be avoided when possible. We specify such a protocol below. </t> <t> This section defines a protocol for avoiding deprecated digest algorithms when these are published in a peer's TLSA RRset alongside stronger digest algorithms. Note that this protocol never avoids RRs with DANE matching type Full(0), as these do not employ a digest algorithm that might some day be weakened by cryptanalysis. </t> [WK] ... we hope -- or we have some *serious* issues. :-P <t> The ordering of digest algorithms by strength is not specified in advance; it is entirely up to the client. Client implementations SHOULD make the digest algorithm preference ordering a configurable option. </t> [O]: The ordering of digest algorithms by strength is not specified in advance; it is entirely up to the client. Client implementations SHOULD make the digest algorithm preference ordering a configurable option. [P]: While all clients SHOULD implement ordering of digest algorithms by strength, each client is free to decide upon the order of digest algorithms, from strongest to weakest. Client implementations SHOULD make the digest algorithm preference ordering a configurable option. [C]: The original paragraph is unclear as to whether the client can choose the order of the algorithms or whether the client can choose to implement this feature at all. <t> To make digest algorithm agility possible, all published DANE TLSA RRsets MUST conform to the requirements of <xref target="rrreq"/>. Clients SHOULD use digest algorithm agility when processing the peer's DANE TLSA records. Algorithm agility is to be applied after first discarding any unusable or malformed records (unsupported digest algorithm, or incorrect digest length). For each usage and selector, the client SHOULD process only any usable records with a matching type of Full(0) and the usable records whose digest algorithm is considered by the client to be the strongest among usable records with the given usage and selector. </t> <t> Example: a client implements digest agility and prefers SHA2-512(2) over SHA2-256(1), while the server publishes an RRset that employs both digest algorithms as well as a Full(0) record. </t> <figure> <artwork> _25._tcp.mail.example.com. IN TLSA 3 1 1 ( 3FE246A848798236DD2AB78D39F0651D 6B6E7CA8E2984012EB0A2E1AC8A87B72 ) _25._tcp.mail.example.com. IN TLSA 3 1 2 ( D4F5AF015B46C5057B841C7E7BAB759C BF029526D29520C5BE6A32C67475439E 54AB3A945D80C743347C9BD4DADC9D8D 57FAB78EAA835362F3CA07CCC19A3214 ) _25._tcp.mail.example.com. IN TLSA 3 1 0 ( 3059301306072A8648CE3D020106082A 8648CE3D0301070342000471CB1F504F 9E4B33971376C005445DACD33CD79A28 81C3DED1981F18E7AAA76609DD0E4EF2 8265C82703030AD60C5DBA6FB8A9397A C0FCF06D424C885D484887 ) </artwork> </figure> <t> In this case the client SHOULD accept a server public key that matches either the "3 1 0" record or the "3 1 2" record, but SHOULD not accept keys that match only the weaker "3 1 1" record. </t> ----- </no-hats> > > W > > >> >> -- >> Viktor. >> >> _______________________________________________ >> dane mailing list >> dane@ietf.org >> https://www.ietf.org/mailman/listinfo/dane > > > > -- > I don't think the execution is relevant when it was obviously a bad > idea in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair > of pants. > ---maf -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [dane] I-D Action: draft-ietf-dane-ops-08.txt internet-drafts
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt John Gilmore
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt… Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt… nudge
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt John Gilmore
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt John Gilmore
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt… Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt… Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt… Warren Kumari
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt… Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt… Warren Kumari
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt… Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt… Warren Kumari
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt… Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt… Peter Saint-Andre - &yet
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt… Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt… Warren Kumari