Re: [dane] I-D Action: draft-ietf-dane-srv-07.txt
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 26 August 2014 15:35 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0523F1A8746 for <dane@ietfa.amsl.com>; Tue, 26 Aug 2014 08:35:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8oSGv5Dc7EpA for <dane@ietfa.amsl.com>; Tue, 26 Aug 2014 08:35:43 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 420611A8749 for <dane@ietf.org>; Tue, 26 Aug 2014 08:35:43 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 0F93D2AB0B4; Tue, 26 Aug 2014 15:35:41 +0000 (UTC)
Date: Tue, 26 Aug 2014 15:35:41 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140826153540.GZ14392@mournblade.imrryr.org>
References: <20140723172859.7673.58244.idtracker@ietfa.amsl.com> <20140724125757.GW2595@mournblade.imrryr.org> <53F3885F.5090703@stpeter.im> <53FBDDC8.4010908@stpeter.im>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <53FBDDC8.4010908@stpeter.im>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/rbIHreYuyOBLptGdQAbs97Q6uP4
Subject: Re: [dane] I-D Action: draft-ietf-dane-srv-07.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 15:35:48 -0000
On Mon, Aug 25, 2014 at 07:07:20PM -0600, Peter Saint-Andre wrote: > >Yes, Section 2.1 of draft-ietf-dane-smtp-with-dane is indeed quite > >comprehensive. I am hesitant to copy it to draft-ietf-dane-srv primarily > >because copying introduces the possibility of divergence in text and > >secondarily because that text talks about SMTP. It seems safer to me if > >we point to that text from the dane-srv specification. > > Upon reading the dane-smtp document again, I am thinking more strongly that > the text in Section 2.1 applies to most application protocols, not only > SMTP; thus I wonder if we can move it to a more general document. > > Chairs & WG, what do you think? At the time that was written, the OPS draft was informational, but this section necessarily contains normative text. So for lack of a better place, it was in the SMTP draft. I'm not sure that section 2.1 is a good fit for the OPS draft, which is already somewhat of a chimera as a result of a change of mission from an informational implementation/ops guide to a 6698 update. What is perhaps missing is a generic document describing DANE implementation guidelines for opportunistic protocols that use DANE for "discovery", and implement DANE-based authentication only when keys are found (this is the use-case addressed by 2.1, though some or most of it[ might also apply with non-opportunistic scenarios). There could be a separate document with implementation guidelines for using DANE for mandatory security (application must use authentication by local policy, with TLSA RRs for key lookup). [ Any volunteers? I need a break from IETF activity after all the sturm und drang over the opportunistic security definition draft. ] Another option may be to move 2.1 into the SRV draft, and use it by reference from SMTP. Tony's original documents had most of the meat in the SRV draft, and SMTP was a thin variant. The main difficulty is that SRV does not have an explicit opportunistic or mandatory mode of operation. It leaves that question unaddressed. So moving 2.1 into the SRV document might require at least some text about differences between opportunistic DANE and mandatory DANE. We have a record format in 6698, but we don't yet have a document that presents a model of how DANE should be used. And there are in fact at least two high-level models to describe. The SRV document is basically DANE with Service Specification records (http://www.ietf.org/archive/id/draft-ogud-dane-vocabulary-02.txt). Perhaps the SRV draft should become primarily "Opportunistic DANE with SSR" (some of the content already makes more sense in that light), with a section at the end that briefly touches on how the mandatory SRV use-case might differ? If so, 2.1 moves to the SRV draft, and the SMTP draft imports it by reference. Other bits could move over also (the sections on the various Certificate usages for example). This is a difficult question, and another option is to focus and specify DANE for XMPP (which is looking to use the SRV draft as its DANE specification) leaving generic SRV for a time when we have more clarity. Are there other major application protocols with SRV records that are gearing up to use DANE? Here, I think there needs to a vision of how all the pieces fit together, and somebody to drive it. At this time, per protocol documents may be easier to pin down, and SRV is arguably too general. -- Viktor.
- [dane] I-D Action: draft-ietf-dane-srv-07.txt internet-drafts
- Re: [dane] I-D Action: draft-ietf-dane-srv-07.txt Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-srv-07.txt Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-srv-07.txt Peter Saint-Andre
- Re: [dane] I-D Action: draft-ietf-dane-srv-07.txt Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-srv-07.txt Peter Saint-Andre
- Re: [dane] I-D Action: draft-ietf-dane-srv-07.txt Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-srv-07.txt Peter Saint-Andre
- Re: [dane] I-D Action: draft-ietf-dane-srv-07.txt Viktor Dukhovni