IETF Logo Mail Archive

Re: [dns-privacy] Why is draft-ietf-dprive-dtls-and-tls-profiles still blocked?

Brian Haberman <brian@innovationslab.net> Fri, 27 October 2017 13:30 UTC

Return-Path: <brian@innovationslab.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9438A13A292 for <dns-privacy@ietfa.amsl.com>; Fri, 27 Oct 2017 06:30:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7PZL_IQ3E1G7 for <dns-privacy@ietfa.amsl.com>; Fri, 27 Oct 2017 06:30:56 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84E0913F516 for <dns-privacy@ietf.org>; Fri, 27 Oct 2017 06:30:56 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id 73F14880E3 for <dns-privacy@ietf.org>; Fri, 27 Oct 2017 06:30:56 -0700 (PDT)
Received: from clemson.local (swifi-nat.jhuapl.edu [128.244.87.133]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id 3B4A33280AE4 for <dns-privacy@ietf.org>; Fri, 27 Oct 2017 06:30:56 -0700 (PDT)
To: dns-privacy@ietf.org
References: <20171027125510.foq7xeiqft2vl7rx@nic.fr>
From: Brian Haberman <brian@innovationslab.net>
Message-ID: <e2db3154-d7e9-ec9c-b2f6-c6daa966cc26@innovationslab.net>
Date: Fri, 27 Oct 2017 09:30:43 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <20171027125510.foq7xeiqft2vl7rx@nic.fr>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="tgrtFUmOmvW4D3pJc5fHjmPrp98KIKIKu"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Fcxw6DnSlyM7P1QHoev8lpYMU58>
Subject: Re: [dns-privacy] Why is draft-ietf-dprive-dtls-and-tls-profiles still blocked?
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Oct 2017 13:30:58 -0000

Hi Stephane,

On 10/27/17 8:55 AM, Stephane Bortzmeyer wrote:
> The datatracker tells us that draft-ietf-dprive-dtls-and-tls-profiles
> has a DISCUSS "This needs to be updated to indicate that the client
> MUST NOT offer 7250 unless it has a preconfigured SPKI, otherwise
> you're going to have interop problems." The DISCUSS was against -09,
> the current version is -11 (1.5 months old) which does address the
> problem "A client MUST only indicate support for raw public keys if it
> has an SPKI pinset pre-configured (for interoperability reasons)."
> 
> Therefore, what's the problem with
> draft-ietf-dprive-dtls-and-tls-profiles?
> 

There was discussions with EKR over his issues and a revision published.
EKR asked for a review by DKG before he would clear his DISCUSS. We are
waiting on that review.

Regards,
Brian

v2.23.0 | Report a Bug | By Email