Re: [dane] namespace management, DANE Client Authentication draft updated
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 13 January 2016 05:53 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 662B61A0390 for <dane@ietfa.amsl.com>; Tue, 12 Jan 2016 21:53:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pk7ltCMsRjVp for <dane@ietfa.amsl.com>; Tue, 12 Jan 2016 21:53:23 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C19C1A0389 for <dane@ietf.org>; Tue, 12 Jan 2016 21:53:23 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 9919E284AED; Wed, 13 Jan 2016 05:53:22 +0000 (UTC)
Date: Wed, 13 Jan 2016 05:53:22 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20160113055322.GJ18704@mournblade.imrryr.org>
References: <C444ACCC-3273-48FE-84DA-2E910C6F756E@dukhovni.org> <20160113052947.54721.qmail@ary.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20160113052947.54721.qmail@ary.lan>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/mC8lCRW-C8bX94iqk2gDVp7_wE0>
Subject: Re: [dane] namespace management, DANE Client Authentication draft updated
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 05:53:25 -0000
On Wed, Jan 13, 2016 at 05:29:47AM -0000, John Levine wrote: > It has very little to do with distinct transport protocols, and > everything to do with avoiding name collisions. Nobody runs POP or > IMAP over UDP, but the SRV names are still _pop3._tcp and _imap._tcp. That's because SRV records are a generic (somewhat over-engineered) construction, and we're stuck with separate: _kerberos._udp.realm.example. IN SRV 100 0 88 kdc1.example. _kerberos._tcp.realm.example. IN SRV 100 0 88 kdc1.example. with the only benefit of this separation being the ability to discover that a given realm has no UDP-based or has no TCP-based KDCs. None of this is especially relevant for clients. So we can keep the client TLSA record query name simple with: ; TLSA RRtype sufficient to distinguish this from all ; other uses of the name, and any collisions with server ; names with look like _port._proto.server.example. ; _application.box.example. IN TLSA 3 1 1 ... or we inject additional labels, making the name further removed from identifying a DANE application at a given DNS node: _application._tcp._client._dane.box.example. IN TLSA 3 1 1 ... because _client might be used in non-dane contexts, and we want to distinguish TCP from UDP, ... But what's the real benefit to all this? We're publishing TLSA records for "application" on "box.example", is any of the other baggage really helpful? With enough such labels, we don't need a TLSA RRtype, just use TXT, and encode the data in JSON. _application._tcp._client._tlsa._dane.box.example. IN TXT "{usage=3, selector=1, mtype=1, data=...}" The point I'm trying to make is that given the base domain, an application-specific initial _label, an the TLSA RRtype, we have all the essential distinguishing identifiers and anything else is baggage that needs justification. James makes a plausible point about _client as a way to carve out a zone for clients, but because unlike SMIME/A or OPENPGPKEY the base domain is here typically not a zone apex, but rather a specific host, carving out a new zone under each host scales poorly. And this takes away the simplicity of an identity mapping between the query domain and the corresponding SRV-ID. So I while I am sympathetic to his argument, I don't think it holds up in the end. If we start injecting _proto, and various additional labels, I am pretty we'd be overdoing the design. There has be a good reason for these, beyond superficial similarity to server use-cases that are not actually analogous. -- Viktor.
- [dane] DANE Client Authentication draft updated Shumon Huque
- Re: [dane] DANE Client Authentication draft updat… James Cloos
- Re: [dane] DANE Client Authentication draft updat… Shumon Huque
- Re: [dane] DANE Client Authentication draft updat… Viktor Dukhovni
- Re: [dane] DANE Client Authentication draft updat… John Levine
- Re: [dane] DANE Client Authentication draft updat… Shumon Huque
- Re: [dane] DANE Client Authentication draft updat… Shumon Huque
- Re: [dane] DANE Client Authentication draft updat… Kim Alvefur
- Re: [dane] DANE Client Authentication draft updat… Shumon Huque
- Re: [dane] namespace management, DANE Client Auth… John R Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… Shumon Huque
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] DANE Client Authentication draft updat… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… Wiley, Glen
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Sandoche Balakrichenan
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… Shumon Huque