[dns-privacy] Roman Danyliw's No Objection on draft-ietf-dprive-unilateral-probing-12: (with COMMENT)
Roman Danyliw via Datatracker <noreply@ietf.org> Tue, 19 September 2023 20:39 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: dns-privacy@ietf.org
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id AC6EEC1782BF; Tue, 19 Sep 2023 13:39:23 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dprive-unilateral-probing@ietf.org, dprive-chairs@ietf.org, dns-privacy@ietf.org, brian@innovationslab.net, tjw.ietf@gmail.com, brian@innovationslab.net
X-Test-IDTracker: no
X-IETF-IDTracker: 11.11.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <169515596369.29731.2162345695284193885@ietfa.amsl.com>
Date: Tue, 19 Sep 2023 13:39:23 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/PrZ4aCvDvJIn2dWyQaG1WfKRZjk>
Subject: [dns-privacy] Roman Danyliw's No Objection on draft-ietf-dprive-unilateral-probing-12: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Sep 2023 20:39:23 -0000
Roman Danyliw has entered the following ballot position for draft-ietf-dprive-unilateral-probing-12: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dprive-unilateral-probing/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Rich Salz for the SECDIR review. I support Paul’s DISCUSS positions. ** Section 4.6.3.4 Because this probing policy is unilateral and opportunistic, the client connecting under this policy MUST accept any certificate presented by the server. If the client cannot verify the server's identity, it MAY use that information for reporting, logging, or other analysis purposes. But it MUST NOT reject the connection due to the authentication failure, as the result would be falling back to cleartext, which would leak the content of the session to a passive network monitor. What verification is expected? When might it trigger “reporting, logging or other analysis”? I ask because the text seems to unambiguously say all server certificates must be accepted and then again that no connections can be rejected.
- [dns-privacy] Roman Danyliw's No Objection on dra… Roman Danyliw via Datatracker
- Re: [dns-privacy] [Ext] Roman Danyliw's No Object… Paul Hoffman
- Re: [dns-privacy] [Ext] Roman Danyliw's No Object… Paul Wouters
- Re: [dns-privacy] [Ext] Roman Danyliw's No Object… Paul Hoffman
- Re: [dns-privacy] [Ext] Roman Danyliw's No Object… Peter Thomassen
- Re: [dns-privacy] [Ext] Roman Danyliw's No Object… John Levine
- Re: [dns-privacy] [Ext] Roman Danyliw's No Object… Paul Wouters