Re: [dns-privacy] Martin Duke's Discuss on draft-ietf-dprive-xfr-over-tls-11: (with DISCUSS and COMMENT)
Martin Duke <martin.h.duke@gmail.com> Thu, 06 May 2021 14:06 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 412633A2379; Thu, 6 May 2021 07:06:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7CUV7WUqO0q3; Thu, 6 May 2021 07:06:09 -0700 (PDT)
Received: from mail-il1-x130.google.com (mail-il1-x130.google.com [IPv6:2607:f8b0:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F56B3A2377; Thu, 6 May 2021 07:06:08 -0700 (PDT)
Received: by mail-il1-x130.google.com with SMTP id y10so4900238ilv.0; Thu, 06 May 2021 07:06:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xVva1FonAqyGP6lv6eO1h8MnrkxIEGomSAh/QOM9ggA=; b=Hs59xnW6Ij90lVFrMRHIvZExJ2ssz6UH/oUzG+Ys0zLjfEWn/2JL7/MIRjahl1hy8k XcKU8SwkznQ84eJg5Y2i515ZE1y3+W1r/uUzHMoGWtLuzvW3B2Y/9HUo5vrReENAQe3V jnaiHfr+EhDNy1LbC7bHMTC4iczpSLJAeBg3cQGc1rAuKscp+AKz+MY+ljaasPSTplFK rBUxaqIe4ddtM4iTRSSsJSVLpwXwxiTQp/J++qmlvQezTX/tL12V90t5IxWjRtN5Vp/Q A2YXH3sj0nLBRCTDOX72PVZPmrJ1clQR8LjqsasuKDbvN7vN4fsedVQJnM2pmcJhZ4pt YiHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xVva1FonAqyGP6lv6eO1h8MnrkxIEGomSAh/QOM9ggA=; b=pEbqxSn7qtuFQw9780z9q5Fxnd1ZVgG80cQKUwZMunWJwoMRcoTqgV1/8f+RUAVDrz 4qOq1C1nSYhSLvcG9JSRIJa5gvajaWyA8hmsVoQtUBITc9My53VQKOLdGgGWfv+Cg+L4 qPViLbeBlTwbeawP7Xo1bCOQzTfXB32+wjmzkE4QGdyvDXFG4ZwcQ4TuvlsbVJ1abNO7 My+b/k/6q4+SBv9Be4Ld7ctq1QeL2ptSS556QznX5qXJ5poLbDiCGyTJ0henLFAxKEY/ Bc11grXprAirtszmafyZxy1JnfuVfxUisCgM1jYEWG68f6EI3V13vceuRRwtCDxfBSay +mvQ==
X-Gm-Message-State: AOAM532aVq95wnii0wKJ7V8iTFuu50NOgDN8xVJ/tcAFI+SdSkClC4kR 3cLI1rB2zR3+iQWnLGTs1ys8DhO+i27DNDCiuTg=
X-Google-Smtp-Source: ABdhPJw/eKIXiGn9d+II4EB1Hda9QWOykK9N3hNpRp8TP7PmoA6hnP157Egi+tgMI8cusy9OgNlsa/tpz/FQeXVw3iM=
X-Received: by 2002:a05:6e02:4c4:: with SMTP id f4mr4507007ils.272.1620309966680; Thu, 06 May 2021 07:06:06 -0700 (PDT)
MIME-Version: 1.0
References: <162006706040.3639.6179900042922096790@ietfa.amsl.com> <CALUxDspOEaSGnUdhh2ASFp6wOc66pdEy+kdRQudgw0EG-C3K9Q@mail.gmail.com> <CAM4esxQNyY+pZb-Dw7grKneULGfwjt5pV5GLjBsH9hf_Jp=yAQ@mail.gmail.com> <0670E630-1616-41C6-A3F2-3D17DEDB714B@sinodun.com>
In-Reply-To: <0670E630-1616-41C6-A3F2-3D17DEDB714B@sinodun.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Thu, 06 May 2021 07:05:59 -0700
Message-ID: <CAM4esxS-9ZFfo+Hcqb4hBr1scaUE9nQiJYOiM2FQ-GGqnZeFpQ@mail.gmail.com>
To: Sara Dickinson <sara@sinodun.com>
Cc: Allison Mankin <amankin@salesforce.com>, The IESG <iesg@ietf.org>, Tim Wicinski <tjw.ietf@gmail.com>, dns-privacy@ietf.org, draft-ietf-dprive-xfr-over-tls@ietf.org, dprive-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000fd781205c1a9cf81"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/eWXYadsfAi08S16Dvr6AtPbtLbc>
Subject: Re: [dns-privacy] Martin Duke's Discuss on draft-ietf-dprive-xfr-over-tls-11: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 May 2021 14:06:13 -0000
Yes, I'll lift it once the change lands. On Thu, May 6, 2021 at 3:32 AM Sara Dickinson <sara@sinodun.com> wrote: > Hi Martin, > > Just to follow up, the following exchange was had with Ben, who also > raised a DISCUSS on the topic of ALPN: > > As Allison already stated in reply to Martin, the authors agree that the > `dot` ALPN should be used here, in light of the recent discussions. > > > In terms of updating the text, I believe what is required is to add a new > section at the start of section 8: > > > "8.1 Connection establishment > > > During connection establishment the ALPN token “dot” [ref] MUST be > selected in the crypto handshake.” > > > (I'd s/crypto/TLS/, myself, but that's hardly critical.) > > I believe the later text relating to XoT vs ADoT in section 8.6 is still > fully applicable, unless you see something you believe also needs updating? > > > I also think that part looks fine. > > I will also update the first paragraph of Appendix A to reflect that the > main reason for not using a separate ALPN (as originally proposed) is > actually because XoT is DNS and so should share the `dot` ALPN. > > > Good catch; thanks! > > > > I hope this addresses your DISCUSS too? > > Regards > > Sara. > > > > > On 3 May 2021, at 20:35, Martin Duke <martin.h.duke@gmail.com> wrote: > > Excellent, > > Thanks for clarifying. > > On Mon, May 3, 2021 at 12:32 PM Allison Mankin <amankin@salesforce.com> > wrote: > >> Hi, Martin, >> >> Sara is out of the office for a day or two, so I will jump in. We do not >> object to using an ALPN code for DoT, and indeed, the message that ALPN >> should not distinguish between DoT and XoT drowned out the more important >> message that ALPN for DoT had to be there. A miss by the earlier reviewers. >> >> Allison >> >> >> Allison Mankin, Principal Architect, DNS-AEO Cloud Leader | Salesforce >> >> >> >> >> On Mon, May 3, 2021 at 2:37 PM Martin Duke via Datatracker < >> noreply@ietf.org> wrote: >> >>> Martin Duke has entered the following ballot position for >>> draft-ietf-dprive-xfr-over-tls-11: Discuss >>> >>> When responding, please keep the subject line intact and reply to all >>> email addresses included in the To and CC lines. (Feel free to cut this >>> introductory paragraph, however.) >>> >>> >>> Please refer to >>> https://www.ietf.org/iesg/statement/discuss-criteria.html >>> for more information about DISCUSS and COMMENT positions. >>> >>> >>> The document, along with other ballot positions, can be found here: >>> https://datatracker.ietf.org/doc/draft-ietf-dprive-xfr-over-tls/ >>> >>> >>> >>> ---------------------------------------------------------------------- >>> DISCUSS: >>> ---------------------------------------------------------------------- >>> >>> In further discussions it became clear that the authors do not intend >>> for XoT >>> traffic to use an ALPN code at all. I'm afraid this may be a >>> misunderstanding >>> of previous guidance from TLS that XoT did not need its own ALPN code, >>> but >>> could simply use the DoT ALPN since the messages are distinguishable on >>> the >>> wire. >>> >>> To not use an ALPN at all violates best TLS practice. The reasoning >>> given in >>> Appendix A, that this creates difficulty for proxies, doesn't make sense >>> to me. >>> We can talk about it in the telechat. >>> >>> >>> ---------------------------------------------------------------------- >>> COMMENT: >>> ---------------------------------------------------------------------- >>> >>> - There ought to be a warning somewhere that mTLS verifies that the CA >>> has >>> verified identity, while IP ACLs merely prove that the bearer can >>> observe the >>> path to the address. The former is much stronger than the latter, unless >>> there >>> are more mechanisms built into the ACL than are obvious from the text >>> here. >>> >>> >>> >>> _______________________________________________ >>> dns-privacy mailing list >>> dns-privacy@ietf.org >>> https://www.ietf.org/mailman/listinfo/dns-privacy >>> >> >
- [dns-privacy] Martin Duke's Discuss on draft-ietf… Martin Duke via Datatracker
- Re: [dns-privacy] Martin Duke's Discuss on draft-… Allison Mankin
- Re: [dns-privacy] Martin Duke's Discuss on draft-… Martin Duke
- Re: [dns-privacy] Martin Duke's Discuss on draft-… Erik Kline
- Re: [dns-privacy] Martin Duke's Discuss on draft-… Ben Schwartz
- Re: [dns-privacy] Martin Duke's Discuss on draft-… Benjamin Kaduk
- Re: [dns-privacy] Martin Duke's Discuss on draft-… Erik Kline
- Re: [dns-privacy] Martin Duke's Discuss on draft-… Sara Dickinson
- Re: [dns-privacy] Martin Duke's Discuss on draft-… Martin Duke