IETF Logo Mail Archive

Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym

Warren Kumari <warren@kumari.net> Sun, 01 December 2013 19:00 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E70731AE5C8 for <dane@ietfa.amsl.com>; Sun, 1 Dec 2013 11:00:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iXsOUrdF1zzs for <dane@ietfa.amsl.com>; Sun, 1 Dec 2013 11:00:45 -0800 (PST)
Received: from vimes.kumari.net (smtp1.kumari.net [204.194.22.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68D7A1AE5DF for <dane@ietf.org>; Sun, 1 Dec 2013 11:00:45 -0800 (PST)
Received: from [192.168.0.187] (c-98-244-98-35.hsd1.va.comcast.net [98.244.98.35]) by vimes.kumari.net (Postfix) with ESMTPSA id 4D1251B40621; Sun, 1 Dec 2013 14:00:42 -0500 (EST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Warren Kumari <warren@kumari.net>
In-Reply-To: <309DDDEA-6A01-4A68-AFCE-9B6A1B2CE874@ogud.com>
Date: Sun, 01 Dec 2013 14:00:41 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <2A8E39E3-5E76-4724-8CE0-839EA2678B65@kumari.net>
References: <20130919201216.14866.61161.idtracker@ietfa.amsl.com> <EACEEB05-2023-4F76-A6FE-A9B2FDC0AA59@kumari.net> <024c01cec2dc$72b596e0$5820c4a0$@augustcellars.com> <309DDDEA-6A01-4A68-AFCE-9B6A1B2CE874@ogud.com>
To: Olafur Gudmundsson <ogud@ogud.com>
X-Mailer: Apple Mail (2.1510)
Cc: dane@ietf.org
Subject: Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Dec 2013 19:00:48 -0000

On Oct 16, 2013, at 4:41 PM, Olafur Gudmundsson <ogud@ogud.com> wrote:

> 
> On Oct 6, 2013, at 5:38 PM, Jim Schaad <ietf@augustcellars.com> wrote:
> 
>> Sorry for being late on getting this in.
>> 
>> 1.  I do not understand the reasoning behind the 2119 language in the
>> introduction.  How would one test this in a protocol fashion?   The document
>> states that it does not change DANE in anyway, but there are requirement
>> language statements that can be made?  This should be stated in  natural
>> language not requirement language.  Section 1.1 can them be removed in its
>> entirety.
>> 
> 
> There two instances of MAY and MAY NOT
> I reworded them and removed section 1.1
> 
>> It is expected that DANE parsers in applications and DNS software will adopt
>> these acronyms for parsing and display purposes, however there are no
>> requirements that they do so.
>> 
>> 2.  In section 2, it states that the references should be both RFC 6698 and
>> this document, however that is not the way that the tables starting in
>> section 2.1 are laid out.  They only use RFC 6698 as a reference document.
>> 
> 
> There are two different set of references 
> a) the references for the Registry itself 
> b) the references for each allocation in the registry. 
> 
> This document only applies to the first one 
> and that is what I said. 
> 
> 
>> 3 s/input>/input./
>> 
> Fixed
> 
>> 4.  I don't think that this phrase "fewer bad TLSA records" is very helpful.
>> What is meant by a bad TLSA record?  Is this just ones where the fields were
>> put out of order or does it include ones where the certificate is
>> incorrectly hashed?  If the goal is to avoid issues with the certificates
>> and what is extracted, then doing something about what goes into the blob
>> would make sense as well.  I would agree that specifying how this would be
>> done is out of scope, but noting it as an issue would be reasonable.
>> 
> 
> I agree and removed that sentence. 
> 
>> 5.  As I have stated before, I am not a fan of using DANE-TA for value 2.
>> To me this loses the fact that there will be PKIX processing that occurs
>> with this section.  I would strongly recommend that this become PKIX-TA.
>> The use of PKIX-TA for the value of 0 never made any sense since there is
>> not trust anchor decision that is associated with the certificate in this
>> record.  The only two records currently that have a trust anchor, as oppose
>> to a constraint, component are 2 and 3. 
> 
> I leave a call on that to the wise chairs :-) 
> I do not care personally 

I'm not sure where these "wise chairs" are, but I believe we have consensus for PKIX-TA.
It's not ideal but seems good enough.


Apologies for the delay, digging out from under backlogged mail from the NANOG/RIPE/IETF/ICANN roadshow…

W


> 
>> 
>> 6.  The note component at the end of section 2.1 should be deleted.
> 
> Gone
> 
>> 
>> 7.  In section 3, the descriptive text and the example records do not match
>> in very significant ways.
>> 
> 
> I must be dense, there is not supposed to be any correlation between the
> two paragraphs in section 3 they are supposed to be separate examples. 
> thanks for good comments. 
> 
> 	Olafur
> 
>> Jim
>> 
>> 
>> _______________________________________________
>> dane mailing list
>> dane@ietf.org
>> https://www.ietf.org/mailman/listinfo/dane
> 
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
> 

-- 
"I think it would be a good idea." 
- Mahatma Ghandi, when asked what he thought of Western civilization

v2.29.0 | Report a Bug | By Email | System Status