Re: [dns-privacy] Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)
"Wessels, Duane" <dwessels@verisign.com> Thu, 10 March 2016 18:01 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0EA812DB69 for <dns-privacy@ietfa.amsl.com>; Thu, 10 Mar 2016 10:01:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MEtLFgahNqvr for <dns-privacy@ietfa.amsl.com>; Thu, 10 Mar 2016 10:01:00 -0800 (PST)
Received: from mail-qg0-x261.google.com (mail-qg0-x261.google.com [IPv6:2607:f8b0:400d:c04::261]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1914F12DB6C for <dns-privacy@ietf.org>; Thu, 10 Mar 2016 10:01:00 -0800 (PST)
Received: by mail-qg0-x261.google.com with SMTP id y89so8641121qge.3 for <dns-privacy@ietf.org>; Thu, 10 Mar 2016 10:01:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language:content-id :content-transfer-encoding:mime-version; bh=Lqmb65/RGaTOgatMDMGP71IAftB55VC6Twk6AfH8pa8=; b=0wh2c7ItqhAj4bsvtqmQAF2WX49Zif06+GjRwywQTMOF0Lkxgu3qgiQ8VukvFi/aqh uQyeziFs3bknf9GR4nR9kYlEeeonxC6e6EBnJGK2pjmUgJq1HAe5o2I0zZ7vZE0DRs2x bkMdQI9l8oDq3BUepjZBGd2MdGD4pB3xJYcNh7q6I3GwKt7WwkzMD4AJJxX8YoknBnw2 iZpOrENbJKoioco+klU5GwfTOa9++e1Prm4Myt9stYZdHKCg/U7ZZD6PfdU9tNlHmVnf ISRk0dKrc1YkDuWWdFIDVyke2pFEbkIkCRDMN7Smd2dIS2DHgH9zGbizn2SF9u1+bqTJ bWJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:content-id:content-transfer-encoding:mime-version; bh=Lqmb65/RGaTOgatMDMGP71IAftB55VC6Twk6AfH8pa8=; b=ZbwKcBBCbPplUq5WJpd9SsEetw0hsQfLK2mA0vjq/cYpOvZrGcn/EsubVJuiWU3wmb WpCdO4OQhWzp2qIR5W7lVz6nYJTKi6bPBKrs3UYks89Ffl5pjmlQgknrpzCsKSpiKW7B pN3NRy7cTZeosW4/Hjc7SakgjR82Vka745kB26whO8GVH3rrXsAT78teAAtmIB/6pAeX V2Oh28K/1RfdtMF5adua2XsKYQU3vS+j+/PT6NDLdquTw5nnEivMGUXKEAIzT2uKDICO yBFk/RfPy0gdOf6dDsMeBuTHwKFyGA1oTHhQLfMdo0jRMqiZ5B7FJZYkweiIqx/Rs+QE +v2g==
X-Gm-Message-State: AD7BkJJ45R42MMGnLxhAoD3DVwJMtd2ZIp9q1f7B9x1Sltg8LmAJ1x6HTcQcqPqsoYRJHy0wu41PxomDOyCAKlUctjBgVU5h
X-Received: by 10.140.91.35 with SMTP id y32mr5899989qgd.42.1457632859183; Thu, 10 Mar 2016 10:00:59 -0800 (PST)
Received: from brn1lxmailout02.verisign.com (brn1lxmailout02.verisign.com. [72.13.63.42]) by smtp-relay.gmail.com with ESMTPS id z142sm673029qka.11.2016.03.10.10.00.58 (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 10 Mar 2016 10:00:59 -0800 (PST)
X-Relaying-Domain: verisign.com
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01 [10.173.152.205]) by brn1lxmailout02.verisign.com (8.13.8/8.13.8) with ESMTP id u2AI0w7V028930 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 10 Mar 2016 13:00:58 -0500
Received: from BRN1WNEXMBX02.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Thu, 10 Mar 2016 13:00:58 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)
Thread-Index: AQHReg6xm11l7pQYoEaC41e3MKdhUJ9SBGiAgACsg4CAAJxKAA==
Date: Thu, 10 Mar 2016 18:00:56 +0000
Message-ID: <6F79D6C0-8B3D-49F4-A3A2-F5E29F83C1B2@verisign.com>
References: <20160309141923.27481.29744.idtracker@ietfa.amsl.com> <D04AE8A1-4F47-4EFC-9527-7B3A778E5EBD@verisign.com> <56E1332B.7030009@cs.tcd.ie>
In-Reply-To: <56E1332B.7030009@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <78CB1935542BFA498A2D01CCCADC329D@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dns-privacy/qbY152MPt3tQ_GIxcNekCFg_lCU>
Cc: Allison Mankin <allison.mankin@gmail.com>, "draft-ietf-dprive-dns-over-tls@ietf.org" <draft-ietf-dprive-dns-over-tls@ietf.org>, Sara Dickinson <sara@sinodun.com>, The IESG <iesg@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [dns-privacy] Stephen Farrell's Discuss on draft-ietf-dprive-dns-over-tls-07: (with DISCUSS and COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2016 18:01:02 -0000
> On Mar 10, 2016, at 12:41 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > > Hiya, > > On 09/03/16 22:24, Wessels, Duane wrote: >> Hi Stephen, >> >> >>> On Mar 9, 2016, at 6:19 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: >>> >>> (1) 4.2: Why didn't you just mandate one way of calculating a >>> fingerprint as being mandatory to implement? (E.g. a sha256 hash of >>> the DER encoded SPKI?) >> >> I don't think that was intentional. Happy to add it as a requirement. >> >> Implementations of this privacy profile MUST support the calculation >> and representation of a fingerprint as the SHA-256 [RFC6234] hash of >> the DER-encoded ASN.1 representation of the Subject Public Key Info >> (SPKI) of an X.509 certificate. Additional fingerprint types MAY >> also be supported. > > That's great thanks. You maybe want to mention the base64 encoding > too if you want that to end up exactly as per Appendix A. Okay, it says this now: Implementations of this privacy profile MUST support the calculation of a fingerprint as the SHA-256 [RFC6234] hash of the DER-encoded ASN.1 representation of the Subject Public Key Info (SPKI) of an X.509 certificate. Implementations MUST support the representation of a SHA-256 fingerprint as a base 64 encoded character string [RFC4648]. Additional fingerprint types MAY also be supported. >> >>> (Or to say why you're not doing them, >>> e.g. if current implementations do different things.) Given that >>> recursives publishing PINs will pick something, having that >>> something supported by all clients would seem like a fine thing. >> >> I agree that it might be better to move the sentence below from the appendix >> to the main body. >> >> Operators of a DNS-over-TLS service in this profile are >> expected to provide pins that are specific to the service being >> pinned (i.e., public keys belonging directly to the end-entity or to >> a service-specific private CA) and not to public key(s) of a generic >> public CA. >> > > Fair enough. That sentence has now been moved to the opening paragraph of 4.2. > >> >> >>> >>> (2) Section 5: Is it ok to (almost:-) recommend TLS false start like >>> that? Don't you need to at least point out that that has additional >>> requirements over and above RFC7525? I've not checked those in >>> detail though, as I'm waiting for the TLS WG to do their publication >>> request for false start. If you've done that checking, then you >>> might be just able to say "yeah, that's not a problem" but I'd like >>> to know since implementers here are likely to read this as saying >>> "Do RFC7525 and you're good." >> >> I don't know. I need to defer to TLS experts on this one. >> >> This may be a case where the risks (of getting it wrong) outweigh the benefits >> (of sometimes lower latency) so maybe it should be removed? > > Some people will prefer the latency gain though as we know. > > I think in this case all you need to do is highlight that false > start has requirements over and above 7525, e.g. by saying: > > "Implementations supporting TLS false start need to be aware > that imposes additional constraints on how one uses TLS, > over and above those stated in BCP195. It is unsafe to use > false start if your implementation and deployment doesn't > adhere to these specific requirements. See [false-start] > for details of those additional constraints." I've added this with just minor edits, thanks. > PS: If the above changes are acceptable then my DISCUSS will > be sorted. > The link below will take you to an rfcdiff of all the changes since starting IESG evaluation http://goo.gl/Wwsr7M DW
- [dns-privacy] Stephen Farrell's Discuss on draft-… Stephen Farrell
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Wessels, Duane
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Stephen Farrell
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Wessels, Duane
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Wessels, Duane
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Stephen Farrell
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Wessels, Duane
- Re: [dns-privacy] Stephen Farrell's Discuss on dr… Stephen Farrell