Re: [Danish] Proposed WG Charter

Michael Richardson <mcr+ietf@sandelman.ca> Sat, 12 June 2021 16:56 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: danish@ietfa.amsl.com
Delivered-To: danish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 649683A19C4 for <danish@ietfa.amsl.com>; Sat, 12 Jun 2021 09:56:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6QvFpWg4ajp6 for <danish@ietfa.amsl.com>; Sat, 12 Jun 2021 09:56:07 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B82A43A19C3 for <danish@ietf.org>; Sat, 12 Jun 2021 09:56:07 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 6D8DD38B37 for <danish@ietf.org>; Sat, 12 Jun 2021 12:57:04 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id oh4-sNoLhlZf for <danish@ietf.org>; Sat, 12 Jun 2021 12:57:04 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id E152338B30 for <danish@ietf.org>; Sat, 12 Jun 2021 12:57:03 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 902DA78B for <danish@ietf.org>; Sat, 12 Jun 2021 12:56:04 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: danish@ietf.org
In-Reply-To: <CAEfM=vRA4P7As25Krc64Q5QTEuQZidpmzWgXWivOxOm8x-9ZAw@mail.gmail.com>
References: <CAEfM=vRA4P7As25Krc64Q5QTEuQZidpmzWgXWivOxOm8x-9ZAw@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 12 Jun 2021 12:56:04 -0400
Message-ID: <2920.1623516964@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/danish/E4muyAZABm1h8vYOvHXtHf1JlSc>
Subject: Re: [Danish] Proposed WG Charter
X-BeenThere: danish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <danish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/danish>, <mailto:danish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/danish/>
List-Post: <mailto:danish@ietf.org>
List-Help: <mailto:danish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/danish>, <mailto:danish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jun 2021 16:56:13 -0000

Thanks Ash for doing such a good job on this charter.
{I appologize for being rather lame in responding to the charter discussions
in the past few weeks... some kind of COVID induced mid-life depression
around turning 50, and being unable to stay up all night writing code}

The charter feels a bit long/detailed I think, with content that maybe
belongs in a problem statement draft.... But, if the IESG doesn't mind that,
I don't.

Some thoughts as I read it again:

> but has also
> shown that reliance on DNSSEC is a significant barrier to adoption.

also:
> The greatest barrier to DANE adoption has been the DNSSEC requirement.

Reading this, I wonder if we really understand why DNSSEC has been so hard to
get deployed among Enterprise entities.  TLDs have done it, because ICANN
forced them to.
As evidence, we don't need DLV anymore (I was involved in running it, and
decommissioning it).  What I'm trying to say/ask: if there in fact some work
in understanding this?   An increasing number of DNS Registrars support DS
records, and CDS is supposed to make this even easier.

Adding DNSSEC to a DNS server seems (to me), *significantly* easier than
operating a private CA, but its also apples vs oranges.


> This allows for a gradual DANE
> adoption where DNSSEC is not in the initial set of requirements.

It seems that if we make something that makes DNSSEC less important, that
DNSSEC will never become important.

> In response to the challenges related to ambiguity between identities
> issued by different CAs, application owners frequently choose to onboard
> IoT devices to a single CA. This process of credential issuance can be
> time-consuming, which is further exacerbated by the sheer number of
> entities participating in large-scale IoT deployments.

So I understand why a single CA solves the potential identity confusion.
I don't understand why the scale matters here.  That sentence seems almost
a non-sequitor.

I think that the charter needs to introduce the message use case.
Or maybe delegate that more clearly.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide