Re: [dane] Fwd: New Version Notification for draft-osterweil-dane-ent-email-reqs-01.txt
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 26 November 2014 01:05 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D4AB1A8759 for <dane@ietfa.amsl.com>; Tue, 25 Nov 2014 17:05:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ToyeVRc83udM for <dane@ietfa.amsl.com>; Tue, 25 Nov 2014 17:04:58 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A2961A86E1 for <dane@ietf.org>; Tue, 25 Nov 2014 17:04:58 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id E7C9C28302F; Wed, 26 Nov 2014 01:04:56 +0000 (UTC)
Date: Wed, 26 Nov 2014 01:04:56 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141126010456.GB25114@mournblade.imrryr.org>
References: <20141126000329.7972.72323.idtracker@ietfa.amsl.com> <B81C95E2-0F2B-4E5B-B4C5-7CD25BEE6F0B@nist.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <B81C95E2-0F2B-4E5B-B4C5-7CD25BEE6F0B@nist.gov>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/x6nSWWWhyd7USwGCL7A_z3CWu4Q
Subject: Re: [dane] Fwd: New Version Notification for draft-osterweil-dane-ent-email-reqs-01.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Nov 2014 01:05:01 -0000
On Wed, Nov 26, 2014 at 12:07:06AM +0000, Rose, Scott wrote: > We submitted a new version of the email-reqs draft. This version is likely not perfect, but I wanted it to appear before the US Thanksgiving holiday so people have a chance to look at it before the interim meeting. > > Text and requirements are cleaned up a bit and added example use cases for non-trivial requirements. Also added a new section of requirements that are not really DANE relevant, but added for completeness and just to have them documented somewhere. A new DANE type is probably not the ideal solution for all of these requirements. > > Comments welcome, now or during/after the interim meeting, * REQ-2 seems to suggest DNAME in a context where I would generally expect CNAME (linking one leaf record to another). DNAMEs would far more likely be used when all users have addresses in each of two or more equivalent domains. * I think REQ-5 is a leap from the underlying desire of constraining credentials to specific uses. It states that it must be possible to convey negative assertions (don't use key K for purpose P'), while it may be quite sufficient to use positive assertions, which have better security semantics (use K for purpose P), and anything not asserted is by definition not valid. Thus the requirement ought to be implementation neutral, and whether it is implemented in positive or negative terms is an implementation choice not a requirement. * REQ-6 seems to be substantially the same as 5. * REQ-7 is I think too concise. What is it about? * REQ-8 feels wrong. It is turtles all the way down, the merging enterprise's applications may be using some other protocol. The protocol cannot encompass all competing protocols. Applications may need to support multiple protocols, and perhaps a meta protocol (obligatory xkcd reference anyone) could be used to signal which one to apply to which user. However it may simply be better for a new protocol to keep things simple and aim to displace rather than entrench legacy options. * I don't understand REQ-10. * Is REQ-11 confusing application implementing the protocol with the protocol? If not what is it saying? * REQ-12 is definitely an application and not a protocol requirement. * REQ-13 seems to be reprise of REQ-5/6. * REQ-15 feels like a derived "requirement" from some other unstated assumptions. What is its real purpose? The words "authenticated denial of existence" are I think unfortunate in this context, since they have a very specific meaning in DNSSEC, which likely differs from the intention here. * I see no discussion of case sensitivity. For example, a domain in which addresses are case insensitive could publish records (at a suitably encoded label) associated with a case-tagged email "address" that is not valid 5322 syntax: lowercase@joeuser@example.com (as distinct from "lowercase@joeuser"@example.com, and I would expect the quotes in quoted localparts to be part of the input to the encoded address). Then applications that don't find a match for the user supplied case could try the above variant instead, and not run into collisions at domains where addresses are case-sensitive, because such domains would not publish data for such prefixes. With a bit of cleverness we can handle case sensitivity without imposing on the freedom of the destination domain to be case sensitive or not. * Should there be some discussion of EAI? Are UTF-8 localparts also subject to attempts at case conversion? Any other EAI issues? -- Viktor.
- [dane] Fwd: New Version Notification for draft-os… Rose, Scott
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] New Version Notification for draft-ost… Jakob Schlyter
- Re: [dane] New Version Notification for draft-ost… Jakob Schlyter
- Re: [dane] New Version Notification for draft-ost… Viktor Dukhovni
- Re: [dane] New Version Notification for draft-ost… Rose, Scott
- Re: [dane] Fwd: New Version Notification for draf… Doug Montgomery