IETF Logo Mail Archive

Re: [dane] Reusing TLSA

Ben Laurie <benl@google.com> Wed, 26 September 2012 08:46 UTC

Return-Path: <benl@google.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D27721F8793 for <dane@ietfa.amsl.com>; Wed, 26 Sep 2012 01:46:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id trzGHVwyTqCV for <dane@ietfa.amsl.com>; Wed, 26 Sep 2012 01:46:06 -0700 (PDT)
Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44]) by ietfa.amsl.com (Postfix) with ESMTP id 7E83221F8425 for <dane@ietf.org>; Wed, 26 Sep 2012 01:46:06 -0700 (PDT)
Received: by oagn5 with SMTP id n5so393128oag.31 for <dane@ietf.org>; Wed, 26 Sep 2012 01:46:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record; bh=ie6duJ+FPNgFMngXp4kEUlWNjiU9BM3CLYt7UhAiLEc=; b=fVDy9tYJdv7J8cbeN/i12EZz5y2/n3fqEjJr0uRQYUyQ+9A3WPbw16r4rShgMpRwBo uxAO6sn96yJeMaU6zYYz+VBUqaJw00Ni90UpIjsX5vU7YuqZ+nOZlXceUY2jCqPid41d xOCR/d1JAKy7qBSQ9k4Ri7UN0vIEVeH19XXjLBNkxHkg/LbvTl+53/Pgdam/0mZwtBYo ICmXV8Vqs7Yt4v2o+PqhlS0l2wwqCX4YsMDsDYE3g1sk55+VTHors7QpUupevIJdrsc0 z7XUDawKJvCUUm6NiqQ2vcf5WYsLXC2iT+AycYLyEMNFO5oZ20rzmIMr/a3otUXBZhEg C+JA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record:x-gm-message-state; bh=ie6duJ+FPNgFMngXp4kEUlWNjiU9BM3CLYt7UhAiLEc=; b=Tm/c3K8hK7jECuT7Tc+OEuAYEY3FlxUV4c+c3AFtKoS07tMQPqFk2U1Z1+KTgejwgf loRGUbRUMw8fta+p1TNrSsKxcwH5as5j3WRkmexK3p7VEFhvlBpaEb9k22H+imaelNMy 1haC+YPq/1KWbEmKRuYhtlKzPfYPvNRWlzH4kmAew1G/4yzF9t/bzWPeOP96ieb9aOIX IaP1ntiqgifVV05HtQJbfjgB6320n7CSBIokN09Kw8lvc0l6ACPRyS2ZQO647KEJL0Ro fI+bPTLgggMs4KQZ3uV1FEwHsl/mTSF63Hm+EqjA9BwtSOG1Br2UGIZyfESl69NSg0KB +prg==
Received: by 10.182.131.106 with SMTP id ol10mr10816773obb.91.1348649165623; Wed, 26 Sep 2012 01:46:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.131.106 with SMTP id ol10mr10816765obb.91.1348649165508; Wed, 26 Sep 2012 01:46:05 -0700 (PDT)
Received: by 10.60.39.136 with HTTP; Wed, 26 Sep 2012 01:46:05 -0700 (PDT)
In-Reply-To: <2D645BD5-3501-4182-AB5B-035240F464AA@vpnc.org>
References: <FE6C9DF2-E86E-4CEF-A537-D68C5952B602@vpnc.org> <50609A03.1050507@ogud.com> <alpine.LSU.2.00.1209250026150.14585@hermes-1.csi.cam.ac.uk> <57867BCC-8E8C-4F5A-9A83-0A31652CD71F@danyork.org> <2D645BD5-3501-4182-AB5B-035240F464AA@vpnc.org>
Date: Wed, 26 Sep 2012 09:46:05 +0100
Message-ID: <CABrd9STJu_U3Aw5MYjhbZ9Q4SpoM37yUVW5uqyk3aOZyoMvvTg@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQm57t0Pdt9F7CYeCV44fMjElAjPfCVUv5cWoHM6bvRIX5xcFmH8loqDM1k676ySNm+3S2qS5f+vpoFJhJqReUyqFg4VWpyB2CjVPIvlBQEqGsA7DUoW5Ld4qsjPOGPpX9wXfBw2rziymD3QaRjntbt5WSPQKrvVaKbP5Vm7rE0ytV59HQGQ2Oy5xzaEBF5V5xWzggL9
Cc: IETF DANE WG list <dane@ietf.org>
Subject: Re: [dane] Reusing TLSA
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2012 08:46:07 -0000

On 25 September 2012 23:32, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> On Sep 25, 2012, at 12:06 PM, Dan York <dan-ietf@danyork.org> wrote:
>
>> BUT... to Tony's last point, are we in fact making it *harder* for developers by overloading the TLSA RRtype with different types of content?
>
> No, because the types of content are identical.

They are not, as I just pointed out in the other thread.

>> Or is that adequately addressed by having the second left-most label in the domain name (ex. "_smimecert") be the way that a developer would know what is in the TLSA RR and therefore how it should be processed?
>
> That's not content, that's the request you used to get the content.
>
> As Ben pointed out earlier, we need to make a few changes saying "where DANE talks about a chain sent by the server, this document is talking about a chain sent by the other party". But the contents are the same.

You could argue that all RRs merely contain bytes, so their contents
are "the same". If they mean different things, then they're not
_really_ the same.

It could be that TLSA could be redrafted to fix this problem.

v2.23.0 | Report a Bug | By Email