IETF Logo Mail Archive

Re: [dane] I-D Action: draft-ietf-dane-srv-07.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 26 August 2014 15:35 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0523F1A8746 for <dane@ietfa.amsl.com>; Tue, 26 Aug 2014 08:35:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8oSGv5Dc7EpA for <dane@ietfa.amsl.com>; Tue, 26 Aug 2014 08:35:43 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 420611A8749 for <dane@ietf.org>; Tue, 26 Aug 2014 08:35:43 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 0F93D2AB0B4; Tue, 26 Aug 2014 15:35:41 +0000 (UTC)
Date: Tue, 26 Aug 2014 15:35:41 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140826153540.GZ14392@mournblade.imrryr.org>
References: <20140723172859.7673.58244.idtracker@ietfa.amsl.com> <20140724125757.GW2595@mournblade.imrryr.org> <53F3885F.5090703@stpeter.im> <53FBDDC8.4010908@stpeter.im>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <53FBDDC8.4010908@stpeter.im>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/rbIHreYuyOBLptGdQAbs97Q6uP4
Subject: Re: [dane] I-D Action: draft-ietf-dane-srv-07.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 15:35:48 -0000

On Mon, Aug 25, 2014 at 07:07:20PM -0600, Peter Saint-Andre wrote:

> >Yes, Section 2.1 of draft-ietf-dane-smtp-with-dane is indeed quite
> >comprehensive. I am hesitant to copy it to draft-ietf-dane-srv primarily
> >because copying introduces the possibility of divergence in text and
> >secondarily because that text talks about SMTP. It seems safer to me if
> >we point to that text from the dane-srv specification.
> 
> Upon reading the dane-smtp document again, I am thinking more strongly that
> the text in Section 2.1 applies to most application protocols, not only
> SMTP; thus I wonder if we can move it to a more general document.
> 
> Chairs & WG, what do you think?

At the time that was written, the OPS draft was informational, but
this section necessarily contains normative text.  So for lack of
a better place, it was in the SMTP draft.

I'm not sure that section 2.1 is a good fit for the OPS draft,
which is already somewhat of a chimera as a result of a change of
mission from an informational implementation/ops guide to a 6698
update.

What is perhaps missing is a generic document describing DANE
implementation guidelines for opportunistic protocols that use DANE
for "discovery", and implement DANE-based authentication only when
keys are found (this is the use-case addressed by 2.1, though some
or most of it[ might also apply with non-opportunistic scenarios).

There could be a separate document with implementation guidelines
for using DANE for mandatory security (application must use
authentication by local policy, with TLSA RRs for key lookup).

[ Any volunteers?  I need a break from IETF activity after all the
  sturm und drang over the opportunistic security definition draft. ]

Another option may be to move 2.1 into the SRV draft, and use it
by reference from SMTP.  Tony's original documents had most of the
meat in the SRV draft, and SMTP was a thin variant.  The main
difficulty is that SRV does not have an explicit opportunistic or
mandatory mode of operation.  It leaves that question unaddressed.

So moving 2.1 into the SRV document might require at least some
text about differences between opportunistic DANE and mandatory
DANE.

We have a record format in 6698, but we don't yet have a document
that presents a model of how DANE should be used.  And there are
in fact at least two high-level models to describe.

The SRV document is basically DANE with Service Specification
records (http://www.ietf.org/archive/id/draft-ogud-dane-vocabulary-02.txt).

Perhaps the SRV draft should become primarily "Opportunistic
DANE with SSR" (some of the content already makes more sense
in that light), with a section at the end that briefly touches
on how the mandatory SRV use-case might differ?

If so, 2.1 moves to the SRV draft, and the SMTP draft imports it
by reference.  Other bits could move over also (the sections on
the various Certificate usages for example).

This is a difficult question, and another option is to focus and
specify DANE for XMPP (which is looking to use the SRV draft as
its DANE specification) leaving generic SRV for a time when we have
more clarity.  Are there other major application protocols with
SRV records that are gearing up to use DANE?

Here, I think there needs to a vision of how all the pieces fit
together, and somebody to drive it.  At this time, per protocol
documents may be easier to pin down, and SRV is arguably too general.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email