Re: [dns-privacy] Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)
"Wessels, Duane" <dwessels@verisign.com> Wed, 09 March 2016 22:29 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C14A512D8E5 for <dns-privacy@ietfa.amsl.com>; Wed, 9 Mar 2016 14:29:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ihmWKLDWwxA2 for <dns-privacy@ietfa.amsl.com>; Wed, 9 Mar 2016 14:29:15 -0800 (PST)
Received: from mail-qg0-x262.google.com (mail-qg0-x262.google.com [IPv6:2607:f8b0:400d:c04::262]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 555AB12DA43 for <dns-privacy@ietf.org>; Wed, 9 Mar 2016 14:24:10 -0800 (PST)
Received: by mail-qg0-x262.google.com with SMTP id p68so6152135qge.0 for <dns-privacy@ietf.org>; Wed, 09 Mar 2016 14:24:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language:content-id :content-transfer-encoding:mime-version; bh=PsT0Sc1zmcmBICgC6ybSN/zbr32XIFRvXxT6BXvY75U=; b=Q0KkC0Kt52a2ntUBjfwtjJK8qKVWsORk1g/+echGHwomYVVpgFAL6qm3b/Ji3U/y7r R/AIYiArI9G0ElCLzuj1P2QE8oWA4aeRFDJaDWuYYyPW8/px1absTipkOB9QFXayIun1 HDri9W0pkiRNZxvHC9i3GM2IOD7ETxg8MonO66VJONS5+zaVc+/baGoaZ5AJAoGvxqdN g0hwf5qv0R9pg+RJSuA8vyNISByTiT7AdC48/d5Obqw0fBNlg0rihNDFBydR7yHaYxwO Uw0mjs6/ULO02Gnth1eW27TGHQlsfb9O5NuXx4jbrxk6AXBVQ+J9tUX+uEToSblolMev Zzbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:content-id:content-transfer-encoding:mime-version; bh=PsT0Sc1zmcmBICgC6ybSN/zbr32XIFRvXxT6BXvY75U=; b=dIsDp5eznJMc4VeCQIdyjDW6QZb8MTSo5xum7vGIxYcB19qe0GHDOTEcG8cRq4vTSA EBz+XMad4DtcsKOdH2on8ossIfGY75GqHY3Erq7RRO+TbHJb+ltfJzcpIwUjKdx3EGAU DIDh3MR8tuAX0KsVP0PP7eWkR8s7gGSUYFTUYEwrsejSSQlrdE3xZT3gSiYenMWF37gS Qa3iB0ws5yJ2NSQeywxtP1ylIZG6MYMkF3CFjd0TwuIl3XGt1lLNaxBtdPZlgK2XILft EjWizAOEUdRlBhspHzc1IAVnwR1GbN24M1li1K3xRxo+GaIstViUOp5XCpE7E7HwisKi nukg==
X-Gm-Message-State: AD7BkJKSNdTXDJe4Dx8Q1l0xybnsQ6VIWZXHeM/TNq5i0KiObcEs8dIfxS1nz3WZf60ZK0GjkF+a+D16Y9dhGEiLg5On5aSC
X-Received: by 10.55.217.17 with SMTP id u17mr157814qki.108.1457562249430; Wed, 09 Mar 2016 14:24:09 -0800 (PST)
Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. [72.13.63.41]) by smtp-relay.gmail.com with ESMTPS id z142sm112631qka.11.2016.03.09.14.24.09 (version=TLS1 cipher=AES128-SHA bits=128/128); Wed, 09 Mar 2016 14:24:09 -0800 (PST)
X-Relaying-Domain: verisign.com
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01 [10.173.152.205]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id u29MO8u4031525 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 9 Mar 2016 17:24:08 -0500
Received: from BRN1WNEXMBX02.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Wed, 9 Mar 2016 17:24:08 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)
Thread-Index: AQHReg6xm11l7pQYoEaC41e3MKdhUJ9SBGiA
Date: Wed, 09 Mar 2016 22:24:07 +0000
Message-ID: <D04AE8A1-4F47-4EFC-9527-7B3A778E5EBD@verisign.com>
References: <20160309141923.27481.29744.idtracker@ietfa.amsl.com>
In-Reply-To: <20160309141923.27481.29744.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <352FF96B6A2A7648B9E3B6AD2EDD6DB9@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/fLrHFXw9TiQDJwEoLMufJDp3lGc>
Cc: Allison Mankin <allison.mankin@gmail.com>, "draft-ietf-dprive-dns-over-tls@ietf.org" <draft-ietf-dprive-dns-over-tls@ietf.org>, Sara Dickinson <sara@sinodun.com>, The IESG <iesg@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [dns-privacy] Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2016 22:29:29 -0000
Hi Stephen, > On Mar 9, 2016, at 6:19 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > (1) 4.2: Why didn't you just mandate one way of calculating a > fingerprint as being mandatory to implement? (E.g. a sha256 hash of > the DER encoded SPKI?) I don't think that was intentional. Happy to add it as a requirement. Implementations of this privacy profile MUST support the calculation and representation of a fingerprint as the SHA-256 [RFC6234] hash of the DER-encoded ASN.1 representation of the Subject Public Key Info (SPKI) of an X.509 certificate. Additional fingerprint types MAY also be supported. > and why is the "don't pin to a CA" rule in > appendix A not a MUST in the body of the document? The appendix essentially says "service-specific private CA: good. public CA: bad" I don't think we can make it a MUST because (a) how do you enforce that and (b) we don't expect the DNS client to differentiate between private/public CAs. > Wouldn't it be > better to do both of those? Sorry, I'm not sure what you mean by "do both of those"? > (Or to say why you're not doing them, > e.g. if current implementations do different things.) Given that > recursives publishing PINs will pick something, having that > something supported by all clients would seem like a fine thing. I agree that it might be better to move the sentence below from the appendix to the main body. Operators of a DNS-over-TLS service in this profile are expected to provide pins that are specific to the service being pinned (i.e., public keys belonging directly to the end-entity or to a service-specific private CA) and not to public key(s) of a generic public CA. > > (2) Section 5: Is it ok to (almost:-) recommend TLS false start like > that? Don't you need to at least point out that that has additional > requirements over and above RFC7525? I've not checked those in > detail though, as I'm waiting for the TLS WG to do their publication > request for false start. If you've done that checking, then you > might be just able to say "yeah, that's not a problem" but I'd like > to know since implementers here are likely to read this as saying > "Do RFC7525 and you're good." I don't know. I need to defer to TLS experts on this one. This may be a case where the risks (of getting it wrong) outweigh the benefits (of sometimes lower latency) so maybe it should be removed? DW
- [dns-privacy] Stephen Farrell's Discuss on draft-… Stephen Farrell
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Wessels, Duane
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Stephen Farrell
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Wessels, Duane
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Wessels, Duane
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Stephen Farrell
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Wessels, Duane
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Stephen Farrell