IETF Logo Mail Archive

Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey - *please* review.

Brian Dickson <brian.peter.dickson@gmail.com> Wed, 25 February 2015 21:41 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 088FE1A88EA for <dane@ietfa.amsl.com>; Wed, 25 Feb 2015 13:41:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.399
X-Spam-Level:
X-Spam-Status: No, score=-3.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, HTML_MESSAGE=0.001, J_CHICKENPOX_47=0.6, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aCCSI6_4tMIp for <dane@ietfa.amsl.com>; Wed, 25 Feb 2015 13:41:20 -0800 (PST)
Received: from mail-ie0-x22a.google.com (mail-ie0-x22a.google.com [IPv6:2607:f8b0:4001:c03::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FB641A88F1 for <dane@ietf.org>; Wed, 25 Feb 2015 13:41:20 -0800 (PST)
Received: by iecar1 with SMTP id ar1so8809443iec.11 for <dane@ietf.org>; Wed, 25 Feb 2015 13:41:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=TjPnKBz3YJ9Mvei8DNIsgzasxQQCOoJyuctFz9jcT64=; b=bwED3M3PcSNhOHGA1WFVSUVeosb4HdtMUmZhX1T0HXMqUwob7AG1i38Lwu7QAaZama i74iENCx0CkbRN6OA67HI1jpuVV0x+PDqN6eTsaQCjzCa6TeseY9NWGMb/ceHbC+JJae tB3KbZoC09dQXMPPkCjFrmcUvUsJc6SBtgURZ92ftAjGpztVB9gWS5sMbjhmkgCWRuWX YMbMdDse5sNjkEI9+lAWsvN1y4p43KFBh43jEauuQW2gBFOXzxO8tylrx4l/2Kh8HSZ2 Oh2lrwIN1XB4LlmM/Ub16NQ4UOZrVl+SrbdgK3YOayKzKZm1U9XorEGoLW8YJKzBvQma i74w==
MIME-Version: 1.0
X-Received: by 10.42.204.205 with SMTP id fn13mr6267545icb.67.1424900479607; Wed, 25 Feb 2015 13:41:19 -0800 (PST)
Received: by 10.64.80.193 with HTTP; Wed, 25 Feb 2015 13:41:19 -0800 (PST)
In-Reply-To: <20150225191500.GZ1260@mournblade.imrryr.org>
References: <001a01d04f19$b0292e90$107b8bb0$@augustcellars.com> <20150223035230.GD1260@mournblade.imrryr.org> <001b01d04f1c$f626c940$e2745bc0$@augustcellars.com> <20150223040833.GF1260@mournblade.imrryr.org> <CAHw9_iJ167aCbpW=Fni0h_vsWLcWQVLC1P7vkr6X0cmAV9zG=g@mail.gmail.com> <20150223225630.GO1260@mournblade.imrryr.org> <CAHw9_iKNwGBOqdLm04Lqox6ai5tzK1Q-WfkxY=Qvtx+uOG1Qpw@mail.gmail.com> <alpine.LFD.2.10.1502251246430.3004@bofh.nohats.ca> <20150225181322.GU1260@mournblade.imrryr.org> <alpine.LFD.2.10.1502251356430.6550@bofh.nohats.ca> <20150225191500.GZ1260@mournblade.imrryr.org>
Date: Wed, 25 Feb 2015 13:41:19 -0800
Message-ID: <CAH1iCipV1Mi03d-AGDHsZv5Lm=OT6ta3m7vBU5uJWsXhN89TzA@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: "dane@ietf.org" <dane@ietf.org>
Content-Type: multipart/alternative; boundary="20cf30426de4ed6940050ff07ece"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/XwzvNPI0oghx4HI4eKHzO_w9AU8>
Subject: Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey - *please* review.
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Feb 2015 21:41:23 -0000

Top-reply to raise (IMHO) a major issue:

This is not only a "publish vs discover" issue, it also is dangerously
close to the IDNA rat-hole.

I wasn't around when the latter came up, but I think DNSEXT dodged a bullet
very wisely, by making it the applications' responsibility to handle
any/all case folding beyond ASCII.

There are also scale issues, e.g. consider use cases where #users in a
domain vary in order of magnitude. What works for O(10e3) does not work for
O(10e6), and definitely does not work for O(10e9).

There are implications to DNS resolution & caching, if you consider stub,
recursive, and authoritative actors. It may be the case that multiple
queries need to be done by the stub, regardless of approach. However, if
policy discovery involves looking up a single common record per DNS zone
(e.g. rhs of email address), then this is cacheable and reduces both the
size of the publishing zone, as well as the number of queries by the
recursive to the authoritative, per client query.

I implore everyone to please consider the design:

_casefolding RRTYPE RDATA as a way of allowing the zone owner to publish
all the case-folding rules for the zone, and require the client to use this
to discover the canonical (published) owner name for a given email address.

Brian

P.S. For those not familiar with it: The IDNA rat-hole involves
case-folding of >2:1, as well as things like Greek language where there are
lots of rules governing variant code points depending on context
(first/last letter of a word). Putting that into DNS would have been an
absolute nightmare, and pushing back on that request was IMHO the right
thing to do.

On Wed, Feb 25, 2015 at 11:15 AM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Wed, Feb 25, 2015 at 02:01:38PM -0500, Paul Wouters wrote:
>
> > On Wed, 25 Feb 2015, Viktor Dukhovni wrote:
> >
> > >Once the client is making two queries, why accept collisions?  Are
> > >we (after all these years) finally defining RFC-822/2822/5322 local
> > >parts to be case-insensitive?  (Price of progress and all that?)
> > >
> > >Is a CNAME per-user really a major burden?
> >
> > It's not one CNAME, it is many CNAMEs. You'll be hashing paul, Paul
> > paul.wouters, Paul.Wouters, etc. I'd be better of with a wilcard :P
>
> One CNAME per case-insensitive name (if the preferred form is mixed
> or upper case).  Those other names you're mentioning if they all
> share the same underlying keys would be CNAMEs you'd have to create
> with or without my proposal for a mechanism to publish case-insensitive
> names.
>
> > The client needs smart logic anyway, and the client at least has a user
> > it can interact with. It can ask "A key for Paul@nohats.ca does not
> > exist but there is a key for paul@nohats.ca".
>
> Why ask the user, when the server can just publish the fact that
> all upper/mixed-case veriants of "paul" are the same mailbox.
>
> > Needing to roll out between 2 and 4 different capitalizations for
> > different [Ff]irstname.[Ll]astname makes everything more errorprone
> > and the client still needs its logic and user interaction.
>
> The I don't how you get to "4".  You can publish exactly one owner
> for each case-insensitive "LocalPart", no CNAMEs required if you
> are willing to accept clients making two queries to find keys in
> your domain (space/time trade-off):
>
>         SHA2-224(localpart@lowercase) IN <RDATA>
>
> Optionally, for faster queries, if the mailbox has a preferred
> form:
>
>         SHA2-224(LocalPart)             IN <RDATA>
>         SHA2-224(localpart@lowercase)   IN CNAME SHA2-224(LocalPart)
>
> If there's also a "Local.Part" and "local.part" to go with it, that
> it is completely separate from my proposal which deals only with
> handling case-insensitive matching.  The overhead of supporting
> case-insensitive matching is at most a second (CNAME) record for
> each record that would be there in the absence of the proposal.
>
> --
>         Viktor.
>
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
>

v2.23.0 | Report a Bug | By Email