IETF Logo Mail Archive

Re: [dns-privacy] Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)

"Wessels, Duane" <dwessels@verisign.com> Wed, 09 March 2016 22:29 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C14A512D8E5 for <dns-privacy@ietfa.amsl.com>; Wed, 9 Mar 2016 14:29:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ihmWKLDWwxA2 for <dns-privacy@ietfa.amsl.com>; Wed, 9 Mar 2016 14:29:15 -0800 (PST)
Received: from mail-qg0-x262.google.com (mail-qg0-x262.google.com [IPv6:2607:f8b0:400d:c04::262]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 555AB12DA43 for <dns-privacy@ietf.org>; Wed, 9 Mar 2016 14:24:10 -0800 (PST)
Received: by mail-qg0-x262.google.com with SMTP id p68so6152135qge.0 for <dns-privacy@ietf.org>; Wed, 09 Mar 2016 14:24:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language:content-id :content-transfer-encoding:mime-version; bh=PsT0Sc1zmcmBICgC6ybSN/zbr32XIFRvXxT6BXvY75U=; b=Q0KkC0Kt52a2ntUBjfwtjJK8qKVWsORk1g/+echGHwomYVVpgFAL6qm3b/Ji3U/y7r R/AIYiArI9G0ElCLzuj1P2QE8oWA4aeRFDJaDWuYYyPW8/px1absTipkOB9QFXayIun1 HDri9W0pkiRNZxvHC9i3GM2IOD7ETxg8MonO66VJONS5+zaVc+/baGoaZ5AJAoGvxqdN g0hwf5qv0R9pg+RJSuA8vyNISByTiT7AdC48/d5Obqw0fBNlg0rihNDFBydR7yHaYxwO Uw0mjs6/ULO02Gnth1eW27TGHQlsfb9O5NuXx4jbrxk6AXBVQ+J9tUX+uEToSblolMev Zzbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:content-id:content-transfer-encoding:mime-version; bh=PsT0Sc1zmcmBICgC6ybSN/zbr32XIFRvXxT6BXvY75U=; b=dIsDp5eznJMc4VeCQIdyjDW6QZb8MTSo5xum7vGIxYcB19qe0GHDOTEcG8cRq4vTSA EBz+XMad4DtcsKOdH2on8ossIfGY75GqHY3Erq7RRO+TbHJb+ltfJzcpIwUjKdx3EGAU DIDh3MR8tuAX0KsVP0PP7eWkR8s7gGSUYFTUYEwrsejSSQlrdE3xZT3gSiYenMWF37gS Qa3iB0ws5yJ2NSQeywxtP1ylIZG6MYMkF3CFjd0TwuIl3XGt1lLNaxBtdPZlgK2XILft EjWizAOEUdRlBhspHzc1IAVnwR1GbN24M1li1K3xRxo+GaIstViUOp5XCpE7E7HwisKi nukg==
X-Gm-Message-State: AD7BkJKSNdTXDJe4Dx8Q1l0xybnsQ6VIWZXHeM/TNq5i0KiObcEs8dIfxS1nz3WZf60ZK0GjkF+a+D16Y9dhGEiLg5On5aSC
X-Received: by 10.55.217.17 with SMTP id u17mr157814qki.108.1457562249430; Wed, 09 Mar 2016 14:24:09 -0800 (PST)
Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. [72.13.63.41]) by smtp-relay.gmail.com with ESMTPS id z142sm112631qka.11.2016.03.09.14.24.09 (version=TLS1 cipher=AES128-SHA bits=128/128); Wed, 09 Mar 2016 14:24:09 -0800 (PST)
X-Relaying-Domain: verisign.com
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01 [10.173.152.205]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id u29MO8u4031525 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 9 Mar 2016 17:24:08 -0500
Received: from BRN1WNEXMBX02.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Wed, 9 Mar 2016 17:24:08 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)
Thread-Index: AQHReg6xm11l7pQYoEaC41e3MKdhUJ9SBGiA
Date: Wed, 09 Mar 2016 22:24:07 +0000
Message-ID: <D04AE8A1-4F47-4EFC-9527-7B3A778E5EBD@verisign.com>
References: <20160309141923.27481.29744.idtracker@ietfa.amsl.com>
In-Reply-To: <20160309141923.27481.29744.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <352FF96B6A2A7648B9E3B6AD2EDD6DB9@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/fLrHFXw9TiQDJwEoLMufJDp3lGc>
Cc: Allison Mankin <allison.mankin@gmail.com>, "draft-ietf-dprive-dns-over-tls@ietf.org" <draft-ietf-dprive-dns-over-tls@ietf.org>, Sara Dickinson <sara@sinodun.com>, The IESG <iesg@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [dns-privacy] Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2016 22:29:29 -0000

Hi Stephen,


> On Mar 9, 2016, at 6:19 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> (1) 4.2: Why didn't you just mandate one way of calculating a
> fingerprint as being mandatory to implement? (E.g. a sha256 hash of
> the DER encoded SPKI?)

I don't think that was intentional.  Happy to add it as a requirement.

   Implementations of this privacy profile MUST support the calculation
   and representation of a fingerprint as the SHA-256 [RFC6234] hash of
   the DER-encoded ASN.1 representation of the Subject Public Key Info
   (SPKI) of an X.509 certificate.  Additional fingerprint types MAY
   also be supported.



> and why is the "don't pin to a CA" rule in
> appendix A not a MUST in the body of the document?

The appendix essentially says "service-specific private CA: good. public CA: bad"

I don't think we can make it a MUST because (a) how do you enforce that and
(b) we don't expect the DNS client to differentiate between private/public CAs.

> Wouldn't it be
> better to do both of those?

Sorry, I'm not sure what you mean by "do both of those"?

> (Or to say why you're not doing them,
> e.g. if current implementations do different things.) Given that
> recursives publishing PINs will pick something, having that
> something supported by all clients would seem like a fine thing.

I agree that it might be better to move the sentence below from the appendix
to the main body.

   Operators of a DNS-over-TLS service in this profile are
   expected to provide pins that are specific to the service being
   pinned (i.e., public keys belonging directly to the end-entity or to
   a service-specific private CA) and not to public key(s) of a generic
   public CA.



> 
> (2) Section 5: Is it ok to (almost:-) recommend TLS false start like
> that?  Don't you need to at least point out that that has additional
> requirements over and above RFC7525? I've not checked those in
> detail though, as I'm waiting for the TLS WG to do their publication
> request for false start. If you've done that checking, then you
> might be just able to say "yeah, that's not a problem" but I'd like
> to know since implementers here are likely to read this as saying
> "Do RFC7525 and you're good."

I don't know.  I need to defer to TLS experts on this one.

This may be a case where the risks (of getting it wrong) outweigh the benefits
(of sometimes lower latency) so maybe it should be removed?

DW

v2.23.0 | Report a Bug | By Email