Re: [dane] namespace management, DANE Client Authentication draft updated

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 14 January 2016 01:19 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B43111AD0C5 for <dane@ietfa.amsl.com>; Wed, 13 Jan 2016 17:19:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id py1_GCp7bgRq for <dane@ietfa.amsl.com>; Wed, 13 Jan 2016 17:19:14 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51F241AD0C3 for <dane@ietf.org>; Wed, 13 Jan 2016 17:19:14 -0800 (PST)
Received: from vpro.lan (cpe-74-71-8-253.nyc.res.rr.com [74.71.8.253]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 4F4A2284809 for <dane@ietf.org>; Thu, 14 Jan 2016 01:19:13 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <20160114010138.66774.qmail@ary.lan>
Date: Wed, 13 Jan 2016 20:19:12 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <9C1F4A0C-0E08-4F6E-BDB1-74E55CB4EF2A@dukhovni.org>
References: <20160114010138.66774.qmail@ary.lan>
To: dane@ietf.org
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/ZC24wguiyu5KsKXpQwkQQE1-PUI>
Subject: Re: [dane] namespace management, DANE Client Authentication draft updated
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jan 2016 01:19:15 -0000

> On Jan 13, 2016, at 8:01 PM, John Levine <johnl@taugh.com> wrote:
> 
>> Because the client prefix-label a service *name*, so so the port
>> collision issue goes away.  We should not cargo-cult designs,
>> the rationale has to carry over logically, and false analogies
>> need to be avoided.
> 
> One man's cargo cult is another man's namespace management.  Every
> existing use of _<service> names is behind a _<proto> name, and there
> seems to me considerable merit to keep it that way, at the trivial
> cost of a possibly uninteresting _tcp or _udp in the name.  If the
> extra five bytes is an issue, I suppose we could use _c rather than
> _client for the client tag.
> 
> While saving five characters was a big deal when I was programming
> PDP-8's almost 50 years ago, I don't get it now.

This forces clients that use both TCP and UDP to publish their TLSA
records twice (or better publish one as a CNAME for the other, or
make both CNAMEs to a third thing).  Is this really worth it?

Folks are having a hard enough time publishing correct TLSA records,
and remembering to change all the copies.

-- 
	Viktor.