Re: [dane] WGLC: DANE-SRV & DANE-SMTP

Warren Kumari <warren@kumari.net> Thu, 29 January 2015 17:06 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9B9F1A00F9 for <dane@ietfa.amsl.com>; Thu, 29 Jan 2015 09:06:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_61=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oPpsJZ0_wRyM for <dane@ietfa.amsl.com>; Thu, 29 Jan 2015 09:06:44 -0800 (PST)
Received: from mail-wi0-f173.google.com (mail-wi0-f173.google.com [209.85.212.173]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A10861A1BE0 for <dane@ietf.org>; Thu, 29 Jan 2015 09:06:43 -0800 (PST)
Received: by mail-wi0-f173.google.com with SMTP id r20so29173931wiv.0 for <dane@ietf.org>; Thu, 29 Jan 2015 09:06:42 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=mtJqm2Nh2OW11Qm/TgMKQXzmx2hyeywD/4CORdKmcU4=; b=aAGLiVAPkE0OHx/FtfEy7wO4UZ610YzUtFA3rFUFA3aotKHE5IXAsfxLJh1ujZ00Yt eHbCwsEVwmWMbMho/3KBkP098ihmDqZPPMqGcOt42w3AF1G/SUqdXJuXrzOQ3EjTk19C lCLw6Mx8DYnoheBaM2q/2Vl36v9Xwf4rxZOcifgYXGFUfJTQppgu3LhEbKD6/EZXp1Cu t3vE+JHiFsjVfv3U2o69ESfwlPKq9viH3pD71CsWLll2mQsLGf0H373++/rG08WKl0we 4PeJ+3ACKrFKABgwR2PVC3pgBid7BcC/grsgm/1bM2TlcOoienX+7NPwJJnghYZcFB+F W+kw==
X-Gm-Message-State: ALoCoQmWkeRxBu3MS6QaUp9/FZed87AkNXZ78uUNN21r+xldD4Y6MZBsgajqjwbSE+vX1lg/eC9n
MIME-Version: 1.0
X-Received: by 10.180.73.178 with SMTP id m18mr1748006wiv.65.1422551201840; Thu, 29 Jan 2015 09:06:41 -0800 (PST)
Received: by 10.194.158.231 with HTTP; Thu, 29 Jan 2015 09:06:41 -0800 (PST)
In-Reply-To: <383563B8-2F31-48F2-9B09-C7195313DB15@ieca.com>
References: <0DAFC2A8-A1E2-46F4-BA52-E8261CB09159@ogud.com> <9DEDC923-8B03-4AF7-82FF-60C96C614641@ieca.com> <20150122220856.GJ8034@mournblade.imrryr.org> <383563B8-2F31-48F2-9B09-C7195313DB15@ieca.com>
Date: Thu, 29 Jan 2015 12:06:41 -0500
Message-ID: <CAHw9_i+gYJqwaOp_=mg-EJHN7TJHZLBNKBRHXTYbVe6rQ8k8ZQ@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: Sean Turner <turners@ieca.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/t6tItiSJrDOX_8BFyEoziUcCVn0>
Cc: "<dane@ietf.org>" <dane@ietf.org>
Subject: Re: [dane] WGLC: DANE-SRV & DANE-SMTP
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jan 2015 17:06:50 -0000

On Thu, Jan 29, 2015 at 10:43 AM, Sean Turner <turners@ieca.com> wrote:
> On Jan 22, 2015, at 17:08, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
>
>> On Thu, Jan 22, 2015 at 04:23:36PM -0500, Sean Turner wrote:
>>
>>> This is procedural but I guess it's major:
>>>
>>> Am I right that this draft is using the new definition for DANE-EE
>>> that is documented in draft-ietf-dane-ops?  Don't we have to wait
>>> for it to update RFC 6698 or does this specification have to indicate
>>> that it updates RFC 6698?
>>
>> Indeed the semantics of DANE-EE(3) are the same in both the ops
>> and smtp-with-dane drafts.
>>
>> The ops draft ammends the semantics for all use-cases of the TLSA
>> record by updating 6698.  The smtp-with-dane draft makes the same
>> change only for opportunistic DANE TLS used in MTA to MTA SMTP.
>>
>> The history is that the decision to turn the ops draft into a 6698
>> update happened rather late, and until that time, only the smtp
>> draft had the requisite normative language.
>>
>> I don't know to best deal with this procedurally.  One might say
>> that both drafts update 6698, or that only the ops draft does that,
>> and the smtp draft applies just narrowly to the protocol at hand.
>>
>> I don't have any views on the logistics.
>
> Multiple drafts can update one draft so if you want to save time you can just add
> "Updates: 6698 (once approved)" to the header of both drafts and you’d be procedurally covered.  Well I guess technically, you need to also say “This draft updates RFC 6698” or something like that in the abstract of the nits checker will complain.
>
>>> 0) s1.1, delayed delivery: r/When an MTA is unable forward/When an MTA is to unable forward
>>
>>    Muphry bites, but I know what you mean thanks.
>>
>>> 1) s1.1, delayed delivery: Might be good to have a forward
>>> reference to "mandatory DANE TLS" in the later section or add it
>>> as a definition in s1.1.
>>
>> I'll add a forward reference, unless there is good reason to extend
>> the terminology.
>
> Nope that’ll work.
>
>>> 2) s1.1: Couldn?t hurt to have informative references to DNS RR and RRSet.
>>
>> Sure.
>>
>>> 3) s1.2: r/Certificate Authority/Certification Authority
>>
>> Indeed, I thought I fixed all of those…
>
>>> 4) s1.3.2: r/and requiring/and require
>>
>> This is a rather long sentence, but its high level
>> structure is:
>>
>>    One might try to ... by using ... and requiring ...
>>
>> So I think that "requiring" agrees better with the
>> preceding parts.  It might be clearer with an
>> extra "by":
>>
>>    One might try to ... by using ... and by requiring ...
>>
>> Or a rewrite of the whole sentence.
>
> I re-read it leave it as is.
>
>>> 5) s1.3.3: What I think you're trying to say here:
>>>
>>> Sending systems are in some cases explicitly configured to use TLS
>>> for mail sent to selected peer domains.   This requires sending MTAs
>>> to be configured with appropriate subject names or certificate
>>> content digests to expect in the presented server certificates.
>>>
>>> is this:
>>>
>>> Sending systems are in some cases explicitly configured to use TLS
>>> for mail sent to selected peer domains, but this requires configuring
>>> sending MTAs with appropriate subject names or certificate
>>> content digests from their peer domains.
>>
>> These looks largely the same to me, your version is fine too.
>
> Yeah just moving some words.
>
>>> 6) s2.1.3: I think if we're going to have a "MUST NOT" for
>>> something it's probably worth a pointer to the definition in RFC
>>> 4033 for "Security-Oblivious stub-resolvers? or add it to s1.1 and
>>> point to RFC 4033.
>>
>> Makese sense.  The larger question is whether this is really the
>> right place for a MUST NOT.  If the client gets this wrong it is
>> insecure (never sees any "secure" domains and never uses DANE),
>> but it is still interoperable.  What's the right way to tell clients
>> that they don't get any security if their recursor is oblivious?
>
> I think doing it here is fine.  There might be other places we’d also do it, but here I think is a fine place to start.
>
>>> 7) s2.2.1: The text about MTA delivery logs made me wonder where
>>> the rest of the normative behavior is for MTA delivery logs and
>>> whether this text is updating that text.
>>
>> I don't think there is any such text anywhere else.  The closest
>> you'll find is "no misrepresentation of security" in RFC 7435
>> (opportunistic security) of which this is an instance.
>
> This is good to know and personally I’m fine with it.  I wonder if the mail folks won’t come unglued about this though because it’s imposing some kind of requirements on the MTA.  But, let’s see what they say before we try to second guess what might make it through.
>
>>> 8) s3.1: Should this be "RECOMMEND":
>>>
>>>  In summary, we recommend the use of either "DANE-EE(3) SPKI(1)
>>>  SHA2-256(1)" or "DANE-TA(2) Cert(0) SHA2-256(1)" TLSA records
>>>  depending on site needs.
>>
>> Sure, if there are no objections.
>
> I guess we’ll see ;)
>
>>> 9) s3.1: Maybe reword:
>>>
>>> The mandatory to support digest algorithm in [RFC6698] is
>>> SHA2-256(1)
>>>
>>> to:
>>>
>>> As specified in [RFC6698], the mandatory to implement digest
>>> algorithm is SHA2-256(1).
>>
>> Yes.
>>
>>> 10) s3.2.3: r/must be entire/must be the entire
>>
>> Yes.
>>
>> When should the suggested changes be made?
>
> Since we’re changing at least one 2119 keyword, I guess I’d go ahead and spin a new version before IETF LC - but that’s really up to the chairs.


... and I'd like to apologize for us not having actually called this /
answered any of the requests for guidance / actually done anything.

We have been stupidly busy recently (in related news:
https://blog.cloudflare.com/help-us-test-our-dnssec-implementation/) ,
and I've been owing Olafur a call back for a few weeks now. We (the
chairs and our AD) are planning a call in the next few days to discuss
how to make sure we keep things moving...

Y'all (DANE) deserve better and we are working on making that happen...
W

>
> spt
>
>> --
>>       Viktor.
>>
>> _______________________________________________
>> dane mailing list
>> dane@ietf.org
>> https://www.ietf.org/mailman/listinfo/dane
>
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf