IETF Logo Mail Archive

Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 15 May 2015 05:25 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F4391A8ACE for <dane@ietfa.amsl.com>; Thu, 14 May 2015 22:25:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xrJ0d0K_nWgm for <dane@ietfa.amsl.com>; Thu, 14 May 2015 22:25:24 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E1381A8ACA for <dane@ietf.org>; Thu, 14 May 2015 22:25:24 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 735C6283032; Fri, 15 May 2015 05:25:23 +0000 (UTC)
Date: Fri, 15 May 2015 05:25:23 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150515052523.GW17272@mournblade.imrryr.org>
References: <20150513182627.9918.67542.idtracker@ietfa.amsl.com> <20150513183614.GC17272@mournblade.imrryr.org> <201505140015.t4E0F35B026773@new.toad.com> <20150514010741.GI17272@mournblade.imrryr.org> <201505150056.t4F0uk5B028009@new.toad.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201505150056.t4F0uk5B028009@new.toad.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/xa36PzKiFHHfg_wLQkevxzGtgKw>
Subject: Re: [dane] I-D Action: draft-ietf-dane-ops-08.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2015 05:25:26 -0000

On Thu, May 14, 2015 at 05:56:46PM -0700, John Gilmore wrote:

> 
> INTERNET-DRAFT                                                J. Gilmore
> DANE Working Group                        Electronic Frontier Foundation
> Intended status: Proposed Standard                          July 3, 2014
> Expires: December 31, 2014
> Updates: 6698 (if approved)
> 
> 
>              Authenticating Raw Public Keys with DANE TLSA
>                        draft-ietf-dane-rawkeys-00

I have read the draft, thanks.  I think that RFC 7250 raw public
keys are covered in the same way in draft-ietf-dane-ops via
usage DANE-EE(3) selector SPKI(1).

For other potential use-cases (i.e. neither TLS nor DTLS), it is
not clear how to interpret the TLSA record selector, and what the
meanings of the existing certificate usages might be.

I'd like to see some success with RFC 7250 + DANE, before we further
extend the TLSA RRtype into virgin territory.  At the very least
there should be a practical use-case against which to measure the
soundness of the proposal.

RFC7260 is a sound extension, if additional sound extensions come
along, I think they can be accomodated at that time.

So, I'd like to ask that at this time, we come to closure on whether
RFC7250 is adequately supported by the language in draft-ietf-dane-ops.
If so, let's get that out the door, and open the floor for discussion
of further extensions after that.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email