IETF Logo Mail Archive

Re: [dispatch] DANE SRV draft and SIP

Peter Saint-Andre <stpeter@stpeter.im> Mon, 22 April 2013 18:28 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1065521F933F for <dispatch@ietfa.amsl.com>; Mon, 22 Apr 2013 11:28:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.979
X-Spam-Level:
X-Spam-Status: No, score=-101.979 tagged_above=-999 required=5 tests=[AWL=-0.620, BAYES_00=-2.599, SARE_LWSHORTT=1.24, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HEFgqMhvkXOc for <dispatch@ietfa.amsl.com>; Mon, 22 Apr 2013 11:28:23 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id E5CFA21F933B for <dispatch@ietf.org>; Mon, 22 Apr 2013 11:28:22 -0700 (PDT)
Received: from ergon.local (unknown [128.107.239.234]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 4FC7A41026; Mon, 22 Apr 2013 12:39:09 -0600 (MDT)
Message-ID: <51758144.1090201@stpeter.im>
Date: Mon, 22 Apr 2013 12:28:20 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: "Olle E. Johansson" <oej@edvina.net>
References: <A4E7BF8C-AF95-4669-8855-497C46067C1A@edvina.net> <C0FFAED0-AA24-41E4-979E-FFB8167A1940@edvina.net> <CAHBDyN5Ys6zcXKAyZQRwmD_RzD19Fe-4v5kWxvFpNZzEwWdxnA@mail.gmail.com> <949EF20990823C4C85C18D59AA11AD8B02B11A@FR712WXCHMBA11.zeu.alcatel-lucent.com> <667E20A3-B542-4C5D-B88D-200EA94EE3C7@edvina.net>
In-Reply-To: <667E20A3-B542-4C5D-B88D-200EA94EE3C7@edvina.net>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "dispatch@ietf.org list" <dispatch@ietf.org>
Subject: Re: [dispatch] DANE SRV draft and SIP
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Apr 2013 18:28:24 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 4/22/13 12:18 PM, Olle E. Johansson wrote:
> 
> 22 apr 2013 kl. 18:42 skrev "DRAGE, Keith (Keith)"
> <keith.drage@alcatel-lucent.com>:
> 
>> While there was never a formal mailing list poll (because we
>> never got to the point of needing a 3261bis), I think there was a
>> considerable body of opinion during the development of
>> domain-certs that the material would form part of any 3261bis
>> work. That I think lends support to any further work being done
>> in sipcore.
>> 
>> I do suggest you look back in the archives for the mailing list
>> discussion on domain-certs. You'll find it on the sip (not
>> sipcore) mailing list archive. You'll find the WG discussion
>> between Feb 2008 and April 2009 with the IESG approval discussion
>> continuing until May 2010.
> 
> Keith, Thank you for the reference.
> 
> Note that I'm not saying that  RFC 5922 is wrong. The issue at hand
> is that the DANE groups current RFC suggests a solution not
> compatible with 5922. We need to decide which way to go.
> 
> We could recommend that the DANE way is used when DNSsec and DANE
> validation is possible, and keep RFC 5922 for other cases.

Well, it's clear to me that we wouldn't allow checking of the derived
domain (in RFC 6125 terms) unless DNSSEC validation succeeds. Since
that is currently a rare event, we'd just continue to do what RFC 5922
says, which in draft-ietf-xmpp-dna we call the PKI prooftype.

> Or update the recommendation in 5922 to make sip with TLS better in
> regards to hosting larger amounts of domains.

I think that is somewhat a separate issue from defining the DANE
prooftype, because other prooftypes might be possible or more
deployable in the short term, such as the POSH prooftype that Matt
Miller and I have defined in draft-miller-xmpp-posh-prooftype (but
which is not specific to XMPP).

Peter

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRdYFEAAoJEOoGpJErxa2pLCoP/1wYQA2CGqmaCwtG0udAP9bL
PyaYjqWqofvEdnJk/Nm/HKZdZ3MuGzpqydWo11Yi/GOyyjIzZrNQKZ2c4gPhCiNB
KdOMiMGBU625vsCJjhu8E5b14sXc4lJc7iEf2dfmMQpwer26YmGrRpolVSsBZ/td
3FvkbPChbC9zg8YHSN9k9tkQlxfwwK5sjgIMDGtOhaKnhUBlIiGV0iTXZL1nkMdq
X9DUWzlvCHxNHWB2W1nbtYagNWu6QaoJTI88O/5qcwP4pZsrHbhelvqeuERfF+sY
sBIBrxYBNUhM9a7wWhxrlqSBeM/nt/oM46osV/sI5qrobkNs26l7hHkh/CVzpr/H
72c1PaujqKJx4Osidyi24a9Lc6JTke/v4gr+ObN9zDBaUvAcXghqk73j8P2rUsj+
T64/lN1n22G87d9sdi9X7RUdfTlPmg65CFmfhBMTfYnz2ZL7YzVxvnKs+Q/BF/1S
7pHMJoviKM7V1cx3OYaEBqFnnRzWOlcfrULzy0VrFw7IjxD6+W9RxGoi2Zv1R2xL
tBy+FV9iUXS9CHyrEmjm+DYgqopg70PCaIEjHZzrC2SCbWw2DBbP0K/d5YL51Vmz
Hyz8T3h4pSfgkwa/wPs7WeP6UrHV3Cz66077L+taLuT1NV7JP1lr9L8pLDMj6xQ8
fpkwx+0yZnAY8VBDp76A
=6W3o
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email