[dns-privacy] Martin Duke's Discuss on draft-ietf-dprive-xfr-over-tls-11: (with DISCUSS and COMMENT)
Martin Duke via Datatracker <noreply@ietf.org> Mon, 03 May 2021 18:37 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: dns-privacy@ietf.org
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6811E3A1FBD; Mon, 3 May 2021 11:37:40 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Martin Duke via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dprive-xfr-over-tls@ietf.org, dprive-chairs@ietf.org, dns-privacy@ietf.org, tjw.ietf@gmail.com, tjw.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.28.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Martin Duke <martin.h.duke@gmail.com>
Message-ID: <162006706040.3639.6179900042922096790@ietfa.amsl.com>
Date: Mon, 03 May 2021 11:37:40 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/9qy-ISK3K5i0ITo3LbUuPngmTgQ>
Subject: [dns-privacy] Martin Duke's Discuss on draft-ietf-dprive-xfr-over-tls-11: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 May 2021 18:37:41 -0000
Martin Duke has entered the following ballot position for draft-ietf-dprive-xfr-over-tls-11: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dprive-xfr-over-tls/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- In further discussions it became clear that the authors do not intend for XoT traffic to use an ALPN code at all. I'm afraid this may be a misunderstanding of previous guidance from TLS that XoT did not need its own ALPN code, but could simply use the DoT ALPN since the messages are distinguishable on the wire. To not use an ALPN at all violates best TLS practice. The reasoning given in Appendix A, that this creates difficulty for proxies, doesn't make sense to me. We can talk about it in the telechat. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- - There ought to be a warning somewhere that mTLS verifies that the CA has verified identity, while IP ACLs merely prove that the bearer can observe the path to the address. The former is much stronger than the latter, unless there are more mechanisms built into the ACL than are obvious from the text here.
- [dns-privacy] Martin Duke's Discuss on draft-ietf… Martin Duke via Datatracker
- Re: [dns-privacy] Martin Duke's Discuss on draft-… Allison Mankin
- Re: [dns-privacy] Martin Duke's Discuss on draft-… Martin Duke
- Re: [dns-privacy] Martin Duke's Discuss on draft-… Erik Kline
- Re: [dns-privacy] Martin Duke's Discuss on draft-… Ben Schwartz
- Re: [dns-privacy] Martin Duke's Discuss on draft-… Benjamin Kaduk
- Re: [dns-privacy] Martin Duke's Discuss on draft-… Erik Kline
- Re: [dns-privacy] Martin Duke's Discuss on draft-… Sara Dickinson
- Re: [dns-privacy] Martin Duke's Discuss on draft-… Martin Duke