Re: [dns-privacy] Working Group Last Call draft-ietf-dprive-dtls-and-tls-profile

Sara Dickinson <sara@sinodun.com> Fri, 07 October 2016 17:32 UTC

Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46031129598 for <dns-privacy@ietfa.amsl.com>; Fri, 7 Oct 2016 10:32:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wCDzpxDjX1Zv for <dns-privacy@ietfa.amsl.com>; Fri, 7 Oct 2016 10:32:36 -0700 (PDT)
Received: from shcp01.hosting.zen.net.uk (shcp01.hosting.zen.net.uk [88.98.24.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 652A1129493 for <dns-privacy@ietf.org>; Fri, 7 Oct 2016 10:32:36 -0700 (PDT)
Received: from [62.232.251.194] (port=10483 helo=[192.168.1.141]) by shcp01.hosting.zen.net.uk with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.87) (envelope-from <sara@sinodun.com>) id 1bsZ0N-0004xs-Pv; Fri, 07 Oct 2016 18:32:31 +0100
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Sara Dickinson <sara@sinodun.com>
In-Reply-To: <20161007094840.GA27400@laperouse.bortzmeyer.org>
Date: Fri, 7 Oct 2016 18:32:21 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <34B559CE-B72D-467D-BF1B-36F9B991DD47@sinodun.com>
References: <5dc29c0c-9f34-dcac-8d94-f2722ee6a4ba@gmail.com> <20161007094840.GA27400@laperouse.bortzmeyer.org>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
X-Mailer: Apple Mail (2.3124)
X-OutGoing-Spam-Status: No, score=-2.9
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - shcp01.hosting.zen.net.uk
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - sinodun.com
X-Get-Message-Sender-Via: shcp01.hosting.zen.net.uk: authenticated_id: sara+sinodun.com/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: shcp01.hosting.zen.net.uk: sara@sinodun.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/2VCT__PXoLoi3EjE0qWVepgqHPs>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Working Group Last Call draft-ietf-dprive-dtls-and-tls-profile
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2016 17:32:38 -0000

> On 7 Oct 2016, at 10:48, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
> 
> On Thu, Oct 06, 2016 at 02:58:09AM -0400,
> Tim Wicinski <tjw.ietf@gmail.com> wrote 
> a message of 28 lines which said:
> 
>> This starts a Working Group Last Call for:
>>   draft-ietf-dprive-dtls-and-tls-profile
> 
> Executive summary: OK for me,
> draft-ietf-dprive-dtls-and-tls-profiles-03 can (and should) be
> published. I find that touchy issues, such as the relationship with
> the authentication mechanisms described in RFC 7858, or such as the
> table 1 "DNS Privacy Protection by Usage Profile and type of attacker"
> are nicely done.

Good to know - thanks. 

> 
> The table 1 could use some details about the possibility of detection
> for passive attacks (for active attacks, it is addressed in section
> 5). These details were promised in
> <https://mailarchive.ietf.org/arch/msg/dns-privacy/8VMIuFKWZUAzP7UWivLn9fA_Ew4>
> :-)

Yes, thanks for catching (again)! I will add an example similar to the one in the mail thread into section 5 so that the discussion of detection of active and passive attacks are together. 

> 
> Technical question:
> 
> The document seems to use "X.509" and "PKIX" as synonyms. Is it really
> the case?

Paul’s suggestions of using PKIX throughout seems sensible.

> 
> Small legal detail:
> 
>> this application [extended to be used for recursive clients and
>> authoritative servers] is out of scope for the DNS PRIVate Exchange
>> (DPRIVE) Working Group per its current charter.
> 
> A bit exaggerated: the current charter says "it [the DPRIVE WG] may
> also later consider mechanisms that provide confidentiality between
> Iterative Resolvers and Authoritative Servers”

A reasonable point. I copied that text directly from RFC7858 (DNS-over-TLS) as that is how the scope is justified in that document….. 

> 
> Editorial detail:
> 
>> but may be the subject of a future I-D.
> 
> Should probably be removed before it becomes a RFC.

How about I change it to “may be the subject of future work”?  Unless such an ID is likely to appear in the very near future?  :-)

Sara.