[dns-privacy] Martin Duke's Discuss on draft-ietf-dprive-xfr-over-tls-11: (with DISCUSS and COMMENT)

Martin Duke via Datatracker <noreply@ietf.org> Mon, 03 May 2021 18:37 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: dns-privacy@ietf.org
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6811E3A1FBD; Mon, 3 May 2021 11:37:40 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Martin Duke via Datatracker <noreply@ietf.org>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-dprive-xfr-over-tls@ietf.org, dprive-chairs@ietf.org, dns-privacy@ietf.org, tjw.ietf@gmail.com, tjw.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.28.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Martin Duke <martin.h.duke@gmail.com>
Message-ID: <162006706040.3639.6179900042922096790@ietfa.amsl.com>
Date: Mon, 03 May 2021 11:37:40 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/9qy-ISK3K5i0ITo3LbUuPngmTgQ>
Subject: [dns-privacy] Martin Duke's Discuss on draft-ietf-dprive-xfr-over-tls-11: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 May 2021 18:37:41 -0000

Martin Duke has entered the following ballot position for
draft-ietf-dprive-xfr-over-tls-11: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-dprive-xfr-over-tls/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

In further discussions it became clear that the authors do not intend for XoT
traffic to use an ALPN code at all. I'm afraid this may be a misunderstanding
of previous guidance from TLS that XoT did not need its own ALPN code, but
could simply use the DoT ALPN since the messages are distinguishable on the
wire.

To not use an ALPN at all violates best TLS practice. The reasoning given in
Appendix A, that this creates difficulty for proxies, doesn't make sense to me.
We can talk about it in the telechat.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

- There ought to be a warning somewhere that mTLS verifies that the CA has
verified identity, while IP ACLs merely prove that the bearer can observe the
path to the address. The former is much stronger than the latter, unless there
are more mechanisms built into the ACL than are obvious from the text here.