Re: [dns-privacy] Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)
"Wessels, Duane" <dwessels@verisign.com> Wed, 09 March 2016 21:42 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3DD612D589 for <dns-privacy@ietfa.amsl.com>; Wed, 9 Mar 2016 13:42:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2nie3uOCdprT for <dns-privacy@ietfa.amsl.com>; Wed, 9 Mar 2016 13:42:38 -0800 (PST)
Received: from mail-qg0-x264.google.com (mail-qg0-x264.google.com [IPv6:2607:f8b0:400d:c04::264]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48E0B12D5AA for <dns-privacy@ietf.org>; Wed, 9 Mar 2016 13:39:52 -0800 (PST)
Received: by mail-qg0-x264.google.com with SMTP id p68so6048751qge.0 for <dns-privacy@ietf.org>; Wed, 09 Mar 2016 13:39:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language:content-id :content-transfer-encoding:mime-version; bh=PCxxc1P/imV+tPS7wdUufS1FL44SNJSNbgtvaKArrJw=; b=WcU6760dCge97kICNcIFpXvFeU4kCddi7TnLW8iMyi10wB6GEpBUoW5Utio7RdzKzF Yf4foY2GuwJ5qXzfaJ3TiBaTQ19HxDg3pqzduV1fShEI12kiBEt7FQbvf7L6Ioo22kvs PyWadF2Dap7dLykPW2DJG8aamnomzuDDeO5RTfE/nRVf0/fVQz6ZfmJEoBsGp/bd0lW5 vALTuEDHiz7FvpfH1Ar3mgRzaYDwZ9L78KLhSZVy1FVmxxMrg+IOXH1Z22kN87hYPmWC MDe6EIjuXd2fgbowsFlsuZ5kFLnZMTp3CaDBrYkdj3XqLBKKdX73O1lmQC5d5rNP0bp4 LIww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:content-id:content-transfer-encoding:mime-version; bh=PCxxc1P/imV+tPS7wdUufS1FL44SNJSNbgtvaKArrJw=; b=W7oC2L69A497+QrGNyiNb/UBMeABQ3YNEobfoTc0HvfwGaKI54IoMkggWhW49rbJrj L5tHIMQdfsAPn+RY5mEic2hLm1Qcu53UkM1ltelVKNV6+DrzHwyfJM55VozuIQ6+dg95 aFvcJK8zi9hIjsgCzZuX45EXLo7dY9Xpeb7//d1HkzgkQ/XBA9wMdKmf3D+0QfvDO2R7 G0firSJt17WJZ3aap0u+gl8GvQgm7glu1MWsmRtxIyLvBgBk0ZGQyeQTexc7oNdXU1FT i2Nxt57C36pEr8rpu50If5BDSCcgIPRNj3CLbfGCTzZyCNo4f+cR/QLYsEytNn0gN4mh +pYQ==
X-Gm-Message-State: AD7BkJLp3EBHEODPguO7HTJKkr+c5HSCpmvJ/GczQMicC8fXIJnHGEqWWaKTAJuOKSuI98slm3wPs1+jc6Ae40uttEDtebiW
X-Received: by 10.140.98.163 with SMTP id o32mr687125qge.46.1457559591138; Wed, 09 Mar 2016 13:39:51 -0800 (PST)
Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. [72.13.63.41]) by smtp-relay.gmail.com with ESMTPS id c62sm99750qkb.0.2016.03.09.13.39.50 (version=TLS1 cipher=AES128-SHA bits=128/128); Wed, 09 Mar 2016 13:39:51 -0800 (PST)
X-Relaying-Domain: verisign.com
Received: from brn1wnexcas02.vcorp.ad.vrsn.com (brn1wnexcas02 [10.173.152.206]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id u29Ldn69026286 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 9 Mar 2016 16:39:50 -0500
Received: from BRN1WNEXMBX02.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Wed, 9 Mar 2016 16:39:47 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: [dns-privacy] Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)
Thread-Index: AQHReg6xm11l7pQYoEaC41e3MKdhUJ9Rxu8AgAAq3oCAAAY4gA==
Date: Wed, 09 Mar 2016 21:39:47 +0000
Message-ID: <CF8F04AC-4113-4CF1-BC56-80D56B3278EA@verisign.com>
References: <20160309141923.27481.29744.idtracker@ietfa.amsl.com> <B870977A-D693-491E-B0FF-B97120C98CD8@verisign.com> <56E092D9.6070703@cs.tcd.ie>
In-Reply-To: <56E092D9.6070703@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <36273A140E4E0346BEA4473D2E1FD236@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/_D26nD6gxkMBqLqoOiVCifOSO3U>
Cc: Allison Mankin <allison.mankin@gmail.com>, "draft-ietf-dprive-dns-over-tls@ietf.org" <draft-ietf-dprive-dns-over-tls@ietf.org>, Sara Dickinson <sara@sinodun.com>, The IESG <iesg@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2016 21:42:39 -0000
> On Mar 9, 2016, at 1:17 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > >> >>> >>> - 3.2: "make use of trusted a SPKI Fingerprint pinset" needs to be >>> rephrased. >> >> Do you say that because SPKI is not spelled out at this point, or >> something else? We've since expanded SPKI here. > > No "trusted a SPKI" seems like Yoda-speak is all:-) Okay, wow... I must've read that at least five times today and not noticed. > >> >>> >>> - 3.4, 2nd last para: this recommends using tickets (RFC5077), which >>> is fine. RFC7525 (section 3.4) suggests changing tickets at least >>> weekly. Is that suggestion also good here or would it be better to >>> recommend (or suggest) some other ticket lifetime? I'd guess >>> it's fine but maybe you know better? >> >> Ticket lifetime hasn't come up before, so I would assume the RFC7525 >> recommendation is fine. >> >> >>> >>> - 4.1, RFC 7435 is about "opportunistic security" and not about >>> "opportunistic encryption." That followed a long terminology debate, >>> so you might want to s/encryption/security/ there. (But I don't care >>> personally:-) >> >> I've changed it to opportunistic encryption. > > It was that before, though. Maybe you did s/encryption/security/ > which'd be fine. Yes, sorry! <section title="Opportunistic Privacy Profile"> <t> For opportunistic privacy, analogous to SMTP opportunistic - encryption <xref target="RFC7435"/> one does not require privacy, + security <xref target="RFC7435"/>, one does not require privacy, but one desires privacy when possible. </t> >> >> How does this look to you? >> >> Since >> padding of DNS messages is new, implementations might need to >> support multiple types of padding or other mitigation techniques >> in response to traffic analysis threats. > > I'd suggest instead: > > "Since traffic analysis can be based on many kinds of pattern > and many kinds of classifier, simple padding schemes may not > by themselves be sufficient to mitigate the attack. Padding > will however form a part of more complex mitigations for the > traffic analysis attack that are likely to be developed over > time. Implementers who can offer flexibility in terms of how > padding can be used may be in a better position to enable such > mitigations to be deployed in future." Excellent, thank you. DW
- [dns-privacy] Stephen Farrell's Discuss on draft-… Stephen Farrell
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Wessels, Duane
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Stephen Farrell
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Wessels, Duane
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Wessels, Duane
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Stephen Farrell
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Wessels, Duane
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Stephen Farrell