IETF Logo Mail Archive

Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt (chair guidance request)

Warren Kumari <warren@kumari.net> Tue, 26 May 2015 00:32 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2128A1A1A55 for <dane@ietfa.amsl.com>; Mon, 25 May 2015 17:32:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.079
X-Spam-Level:
X-Spam-Status: No, score=-0.079 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qK2leBIVnuFm for <dane@ietfa.amsl.com>; Mon, 25 May 2015 17:32:10 -0700 (PDT)
Received: from mail-wi0-f170.google.com (mail-wi0-f170.google.com [209.85.212.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F3AC1A1A34 for <dane@ietf.org>; Mon, 25 May 2015 17:32:10 -0700 (PDT)
Received: by wifw1 with SMTP id w1so11774142wif.0 for <dane@ietf.org>; Mon, 25 May 2015 17:32:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=Ldso9i8ZALmuwro8M7sA4n2A00cjCT2w8l/Ky68k2hc=; b=QX2I463uzQKsvsW8dOBr5EJrK46zytUw6eZFff41OcELZtBeaJjldmVXgSFJR7Fkr7 DsxdLX5HYrYNFV3H395RFGd14Qsr+lLijUkQCGgMD2ah4Q4r9TDyGpERcxwlHBkwC1my yC1hulbTaWqFq4zHp4v622rftK997xbgFoCTbHHC9ETRX3CcSy9Zepallt6LwqBqTKKN sMZqakgmzqVbBPbeI627vYC6On00f6+2IRjsB285r53TkvmJOMxWxfgyCNm26cPQzT97 33eoC1JSeF2bVOuJf2je5hzTrTIxc6Ri+KmMJ/jWejV8BZgRUFCUWWTNWo4SIXjErO0Q dxcA==
X-Gm-Message-State: ALoCoQnTAnJqtiX51XPzwMIFM4HIrwNnnVtlnSEqmyQWpfolzSSTUqlh2oo/UU+fH8D9zIKqUqd7
MIME-Version: 1.0
X-Received: by 10.194.216.196 with SMTP id os4mr44412937wjc.117.1432600328308; Mon, 25 May 2015 17:32:08 -0700 (PDT)
Received: by 10.194.47.36 with HTTP; Mon, 25 May 2015 17:32:08 -0700 (PDT)
In-Reply-To: <CAHw9_iJUsgAh6v9K6EAoT_FJk60pyc14Ks=FA7wtM91bEDTtwQ@mail.gmail.com>
References: <20150513182627.9918.67542.idtracker@ietfa.amsl.com> <20150513183614.GC17272@mournblade.imrryr.org> <201505140015.t4E0F35B026773@new.toad.com> <20150514010741.GI17272@mournblade.imrryr.org> <20150514050948.GL17272@mournblade.imrryr.org> <1431596694.3274731.268516193.7C170F5C@webmail.messagingengine.com> <20150515060332.GX17272@mournblade.imrryr.org> <20150516054211.GF17272@mournblade.imrryr.org> <CAHw9_iLJ5QhLRgmNT-gZxRh_C_37zMDmo3KSR6Ny6ASw6H0+6g@mail.gmail.com> <20150521222428.GL17272@mournblade.imrryr.org> <CAHw9_iJUsgAh6v9K6EAoT_FJk60pyc14Ks=FA7wtM91bEDTtwQ@mail.gmail.com>
Date: Mon, 25 May 2015 20:32:08 -0400
Message-ID: <CAHw9_iJQMFUETmHUSG-LQnxLcRjdj5zc05KNA4cQ4FfQmtk+zQ@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: "<dane@ietf.org>" <dane@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/XXRsT2EjO88RjxHjt4lbOTUO7Uw>
Subject: Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt (chair guidance request)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 00:32:13 -0000

On Fri, May 22, 2015 at 1:34 PM, Warren Kumari <warren@kumari.net> wrote:
> On Thu, May 21, 2015 at 6:24 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
>> On Thu, May 21, 2015 at 04:08:35PM -0400, Warren Kumari wrote:
>>
>>> > With Section 9 ideally no longer under a cloud of uncertainty,
>>> > we would also update section 12:
>>>
>>> We have heard nothing from the working group saying that they are
>>> unhappy with the new section 9, and it seems clear.
>>
>> And yet the language is somewhat muddy and repetitive, and confused
>> at least John Gilmore about what it was trying to say.  Furthermore
>> Section 12 disclaims consensus, but I think we should reach concensus
>> on digest agility (if we have not yet).
>>
>>> The Working Group reviewed this document, and we called consensus on
>>> it (and then waited a bit to see if anyone came out of the woodwork,
>>> looking sad), and so I believe that this *does* have WG consensus, and
>>> so the [Note:...] can be removed.
>>
>> Thanks.  I'll remove the note, but I would very much like to improve
>> the clarity of the section 9 text (without changing the technical
>> content).   I have such an update queued-up.  How might we proceed
>> to adopt it?
>
>
> Does anyone have any useful clarity improvement suggestions?
> We'll wait until 12:00PM UTC on Wednesday (20:00ET), otherwise we'll
> go ahead with the text as written, and ask Viktor to include it.


<no hats>
... I have some very small grammar / readability suggestions.


Take them if you like them, or ignore if you don't....

------

<t>
  While <xref target="RFC6698"/> specifies multiple digest algorithms,
  it does not specify a protocol by which the client and TLSA record
  publisher can agree on the strongest shared algorithm.  Such a
  protocol allows the client and server to avoid exposure to

[O]: Such a protocol allows the client and server
  [P]: Such a protocol would allow the client and server
  [C]: We haven't specified the protocol yet, so different tense for
readability.

  deprecated weaker algorithms that are published for compatibility
  with less capable clients, but which SHOULD be avoided when
  possible.  We specify such a protocol below.
</t>

<t>
  This section defines a protocol for avoiding deprecated digest
  algorithms when these are published in a peer's TLSA RRset alongside
  stronger digest algorithms.  Note that this protocol never avoids
  RRs with DANE matching type Full(0), as these do not employ a
  digest algorithm that might some day be weakened by cryptanalysis.
</t>

[WK] ... we hope -- or we have some *serious* issues. :-P


<t>
  The ordering of digest algorithms by strength is not specified
  in advance; it is entirely up to the client.  Client implementations
  SHOULD make the digest algorithm preference ordering a configurable
  option.
</t>
[O]: The ordering of digest algorithms by strength is not specified
  in advance; it is entirely up to the client.  Client implementations
  SHOULD make the digest algorithm preference ordering a configurable
  option.
  [P]: While all clients SHOULD implement ordering of digest algorithms
  by strength, each client is free to decide upon the order of digest
algorithms,
  from strongest to weakest. Client implementations SHOULD make the digest
  algorithm preference ordering a configurable option.
  [C]: The original paragraph is unclear as to whether the client can choose the
  order of the algorithms or whether the client can choose to implement this
  feature at all.


<t>
  To make digest algorithm agility possible, all published DANE
  TLSA RRsets MUST conform to the requirements of <xref target="rrreq"/>.
  Clients SHOULD use digest algorithm agility when processing the
  peer's DANE TLSA records.  Algorithm agility is to be applied
  after first discarding any unusable or malformed records (unsupported
  digest algorithm, or incorrect digest length).  For each usage
  and selector, the client SHOULD process only any usable records
  with a matching type of Full(0) and the usable records whose
  digest algorithm is considered by the client to be the strongest
  among usable records with the given usage and selector.
</t>

<t>
  Example: a client implements digest agility and prefers SHA2-512(2)
  over SHA2-256(1), while the server publishes an RRset that employs
  both digest algorithms as well as a Full(0) record.
</t>

  <figure>
  <artwork>
_25._tcp.mail.example.com. IN TLSA 3 1 1 (
                              3FE246A848798236DD2AB78D39F0651D
                              6B6E7CA8E2984012EB0A2E1AC8A87B72 )
_25._tcp.mail.example.com. IN TLSA 3 1 2 (
                              D4F5AF015B46C5057B841C7E7BAB759C
                              BF029526D29520C5BE6A32C67475439E
                              54AB3A945D80C743347C9BD4DADC9D8D
                              57FAB78EAA835362F3CA07CCC19A3214 )
_25._tcp.mail.example.com. IN TLSA 3 1 0 (
                              3059301306072A8648CE3D020106082A
                              8648CE3D0301070342000471CB1F504F
                              9E4B33971376C005445DACD33CD79A28
                              81C3DED1981F18E7AAA76609DD0E4EF2
                              8265C82703030AD60C5DBA6FB8A9397A
                              C0FCF06D424C885D484887 )
  </artwork>
  </figure>

<t>
  In this case the client SHOULD accept a server public key that
  matches either the "3 1 0" record or the "3 1 2" record, but
  SHOULD not accept keys that match only the weaker "3 1 1" record.
</t>

-----
</no-hats>

>
> W
>
>
>>
>> --
>>         Viktor.
>>
>> _______________________________________________
>> dane mailing list
>> dane@ietf.org
>> https://www.ietf.org/mailman/listinfo/dane
>
>
>
> --
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>    ---maf



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email