[dane] IETF-89 draft minutes
Olafur Gudmundsson <ogud@ogud.com> Wed, 12 March 2014 20:59 UTC
Return-Path: <ogud@ogud.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E13641A076A for <dane@ietfa.amsl.com>; Wed, 12 Mar 2014 13:59:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mH4Jg7kCj093 for <dane@ietfa.amsl.com>; Wed, 12 Mar 2014 13:59:00 -0700 (PDT)
Received: from smtp108.ord1c.emailsrvr.com (smtp108.ord1c.emailsrvr.com [108.166.43.108]) by ietfa.amsl.com (Postfix) with ESMTP id 02F701A074C for <dane@ietf.org>; Wed, 12 Mar 2014 13:58:59 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp6.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id C00F6988DF for <dane@ietf.org>; Wed, 12 Mar 2014 16:58:53 -0400 (EDT)
X-Virus-Scanned: OK
Received: by smtp6.relay.ord1c.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id 5F927990B8 for <dane@ietf.org>; Wed, 12 Mar 2014 16:58:53 -0400 (EDT)
From: Olafur Gudmundsson <ogud@ogud.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F319A7B4-C784-4CE1-B909-D0923C47FD8D"
Message-Id: <3D074047-A9FC-4C90-A819-76552A99EE27@ogud.com>
Date: Wed, 12 Mar 2014 16:58:54 -0400
To: dane WG list <dane@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
X-Mailer: Apple Mail (2.1510)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/kGG0nUYw-BZcl3cGJn-edqZD1cU
Subject: [dane] IETF-89 draft minutes
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Mar 2014 20:59:03 -0000
Unless we hear otherwise in the by March 24'th these will become the official minutes. Thanks to Stephane, Olle and Dan for their notes. Olafur & Warren IETF 89, DANE Working Group meeting 2014-03-06 Chairs: Warren Kumari, Olafur Gudmundsson Scribe: Stephane Bortzmeyer Jabber Scribe: Olle Johansson Tweeter: Dan York Agenda in <https://datatracker.ietf.org/meeting/89/agenda/dane/> With links to the slides at <https://tools.ietf.org/wg/dane/agenda> 0) Administrivia The room is more than completely packed and many people are standing (or waiting outside). Next time, a bigger room is needed. 1) DANE status, Managment changes, future direction Co-chair Olafur Gudmundsson replaces Ondrej Sury. The draft "registry acronyms" draft-ietf-dane-registry-acronyms is in the RFC editor queue. Four other drafts are active. The plans are: 1.1) SMTP draft-ietf-dane-smtp-with-dane in WGLC. SRV draft-ietf-dane-srv soon (15 april) in WGLC 1.2) SMIME draft-ietf-dane-smime + OpenPGP draft-wouters-dane-openpgp (if adopted by the WG) : in WGLC on 15 may 1.3) DANE operations draft-ietf-dane-ops : decision in june? 1.4) IPsec draft-osterweil-dane-ipsec (if adopted) after What after that? Shutdown? Many changes are expected before june, so it is too early to decide. Paul Hoffman : lots of interest in other WGs so, it would be unwise to shutdown. Discussion taken to the mailing list (but nobody argued for a shutdown). 2) Working group Lookup documents 2.1) DANE SMTP by Viktor Dukhovni (Postfix) http://www.ietf.org/proceedings/89/slides/slides-89-dane-1.pdf Viktor reported a *lot* of open issues, discovered by the development of DANE-for-SMTP but often not-SMTP specifics. Some examples: if DANE publishes a full certificate, should we use only the public key in it or also check the other fields of the certificate? Many combination of options in DANE are strange and may be useless and require explanations anyway. What if some keys are published with a different set of digests? Big CNAME issue: search the TLSA record in the expanded name (after following the CNAME chain) or not? And what if expansion is insecure (not signed with DNSSEC)? Some details when implementing DANE on Postfix: don't do TLSA when the base domain is insecure even if, in theory, the DANE domain name may be secure, for instance with DLV). When Postfix receives a raw public key, it builds a dummy certificate around it, to make its TLS library happy. (See the draft on raw keys draft-ietf-tls-oob-pubkey, in RFC editor queue) Philip Hallam-Baker mentioned Certificate Transparency but it did not seem to raise interest. Crocker asked for a way for the client to signal the server which algorithms it knows, so the server can know when to drop an algorithm. Dukhovni disagreed, saying that DANE is complicated enough. After a few certificate questions, the DNS ones : the main discussion was (Peter Koch) about "fallback" to the first item in a CNAME chain when it is insecure. Fallbacks are brittle and can be dangerous. (It is the opinion of the minute taker that "fallback" is not the best word to describe the algorithm proposed in the current draft.) 2.2) Using DNS-Based Authentication of Named Entities (DANE) TLSA records with SRV and MX records. Matt Miller http://www.ietf.org/proceedings/89/slides/slides-89-dane-0.pdf Olle Johansson suggested that SIP has similar issues and that DANE people should harmonize with SIP. Someone suggested (jokingly, presumes the minute taker) to write a NAPTR document for DANE... A list of XMPP servers using DANE <https://xmpp.net/reports.php#dnssecdane> 2.3) Harmonizing how applications specify DANE-like usage (DANE vocabulary) Olafur Gudmunsson https://tools.ietf.org/agenda/89/slides/slides-89-dane-4.pdf Having a separate document, only with DNS vocabulary since it seems under-specified, and varies wildly? This would introduce a delay. OK for Paul Hoffman: I have issues such as changing DNSSEC vocabulary. We should slow down the drafts, so we can fix the vocabulary. Disagreement for Viktor Dukhovni : no delay is wished for, the specification is ready. Paul Hoffman suggested to public the current drafts, then write the vocabulary document, then produce a -bis of the other documents. Taken to the mailing list. 2.4) The DANE world model DANE - key acquisition, service discovery or usage assurance? Paul Hoffman (No slides) This was a more philosophical discussion (do note the W3C has an explicit Philosophy Working Group <http://www.w3.org/community/philoweb/>). Now that DANE is used for other things than the Web, we have many questions. Biggest one in the discussion, "DNS : delivery or discovery?" It seems there is no consensus, one of the reasons being that there is no clear definition of either. Many people do not see the difference (Dave Crocker: no difference. A lookup with A is the same as a lookup with SRV). Some people says there is one and that discovery is bad, is not "proper use of the DNS". For instance, on XMPP, Andrew Sullivan said "there's an ambiguity in 'discovery'. Some of it is 'discover service at this owner name' and some of it is 'find the right owner name for this service'. Most of the DNS anger is directed at (2) because it requires tree-climbing." It is not only philosophical, it may have security consequence if the data in the DNS and in TLS disagree. Also, does it mean we can use DANE to find out if we are supposed to connect to the peer with TLS? Tony Finch: a TLSA record also means you expect people to use TLS (no consensus on that). Peter Koch said it is neither delivery or discovery, DNS is lookup, you need a fixed identifier to starts with. He pointed out another ambiguity: domain can mean a subtree or a domain name (a node). Andrew Sullivan suggested also to start on a new work item: "Semiotics of DNS names from an architechtonic lead user's, pan-applicationist, IntraSuperSemioNet, post-modernist perspective" :-) For this issue, there was one question by the chairs: do we need to document this? The hmmmm clearly says yes and there was four-five volunteers to work on it. 2.5) Using DANE to Associate OpenPGP public keys with email addresses Paul Wouters https://tools.ietf.org/agenda/89/slides/slides-89-dane-2.pdf There is running code on <http://people.redhat.com/pwouters/hash-slinger/> (and Github <https://github.com/letoams/hash-slinger>) + a milter for Sendmail and Postfix. Biggest issue in the discussion: the TLSA record is found at a domain name which is the user's email address (actually, a hash of it). Since the left part of an email address is case-sensitive (in theory: Paul Wouters asked if there really was SMTP servers which care about case and got not reply), matching is less trivial thaan it seems ('echo -n "jAkOb" | openssl sha -sha224' ?) Mark Andrews claimed we should define canonicalization rules. Not doing so is "lazyness". Paul Hoffman disagrees, canonicalization is not easy (internationalized left parts) Taken to the mailing list. The two OpenPGP documents are asking for adoption. draft-wouters-dane-openpgp and draft-wouters-dane-openpgpkey-usage both got a strong hmmmmmmmmmmm. 2.6) IPSECKEY / Auth_none Paul Wouters http://www.ietf.org/proceedings/89/slides/slides-89-dane-3.pdf Just information, no decision 2.7) IPSECA Eric Osterweill (slides not available) draft-osterweil-dane-ipsec One of the goals is harmonize IPsec key learning with DANE. For instance, IPsec keys are currently host-specific while DANE keys are port-specific. Not many reactions
- [dane] IETF-89 draft minutes Olafur Gudmundsson
- Re: [dane] IETF-89 draft minutes Viktor Dukhovni