Re: [dns-privacy] Working Group Last Call draft-ietf-dprive-dtls-and-tls-profile

"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 26 October 2016 14:59 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ED2F1294B5 for <dns-privacy@ietfa.amsl.com>; Wed, 26 Oct 2016 07:59:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KpnEoq8LCv7t for <dns-privacy@ietfa.amsl.com>; Wed, 26 Oct 2016 07:59:17 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8622C1294AA for <dns-privacy@ietf.org>; Wed, 26 Oct 2016 07:59:17 -0700 (PDT)
Received: from [10.32.60.145] (50-1-99-230.dsl.dynamic.fusionbroadband.com [50.1.99.230]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id u9QExDeT045036 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 26 Oct 2016 07:59:15 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-99-230.dsl.dynamic.fusionbroadband.com [50.1.99.230] claimed to be [10.32.60.145]
From: "Paul Hoffman" <paul.hoffman@vpnc.org>
To: "Sara Dickinson" <sara@sinodun.com>
Date: Wed, 26 Oct 2016 07:59:14 -0700
Message-ID: <64813B2D-063A-49B2-8A82-7C248681B641@vpnc.org>
In-Reply-To: <7BAA0258-E476-4940-8430-80BC8ED4FD94@sinodun.com>
References: <5dc29c0c-9f34-dcac-8d94-f2722ee6a4ba@gmail.com> <03AC11BC-BE33-47B8-B1A2-1BDC26280B2C@vpnc.org> <7BAA0258-E476-4940-8430-80BC8ED4FD94@sinodun.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.5r5263)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/t9gB11gNQMIxfgDlFquESEXT2_s>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Working Group Last Call draft-ietf-dprive-dtls-and-tls-profile
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Oct 2016 14:59:19 -0000

On 26 Oct 2016, at 6:23, Sara Dickinson wrote:

>
>> Section 1: "The proposals here might be adapted or extended in future 
>> to be used for recursive clients and authoritative servers, but this 
>> application is out of scope for the DNS PRIVate Exchange (DPRIVE) 
>> Working Group per its current charter." This document will long 
>> outlive the WG, so everything after the first comma should be 
>> removed.
>
> So…. this got added after multiple comments of ‘why is recursive 
> to auth not in scope?”. It is also lifted directly from RFC7858 
> (DNS-over-TLS) as it was the wording used to justify the scope at the 
> time of publication of that document. But there have been several 
> comments on this sentence and that is the response I have given every 
> time :-)  If the charter is changed before this document is published 
> I agree this should be updated but I happen to think this gives useful 
> context for future readers. But would like to hear what others think.

Saying "The proposals here might be adapted or extended in future to be 
used for recursive clients and authoritative servers" should be 
sufficient to say "it's not like we didn't think about it". If people 
really want to have the charter discussion in this long-lived RFC, at 
least change the second clause to "but this application was out of scope 
for the Working Group charter at the time this document was finished".

>> Section 1: "How a DNS client can verify that any given credential 
>> matches the domain name obtained for a DNS server." "obtained" is 
>> somewhat difficult here because there are many ways that the name is 
>> determined. Proposal: "matches the domain name of the DNS server”.
>
> We used the word ‘obtained' here as in the early discussions there 
> was confusion about what domain name (or names) a DNS server serves, 
> and what the domain name that is used for authentication is. We wanted 
> to be clear there is no correlation between the two.  Hence the rather 
> clumsy wording that is at least consistent between the first and third 
> bullet points.
>
> OLD:
>    o  How a DNS client can obtain a domain name for a DNS server to 
> use
>       for (D)TLS authentication.
>
>    o  What are the acceptable credentials a DNS server can present to
>       prove its identity for (D)TLS authentication based on a given
>       domain name.
>
>    o  How a DNS client can verify that any given credential matches 
> the
>       domain name obtained for a DNS server.
>
> NEW:
>    o  How a DNS client can obtain an ‘authentication domain name' 
> for a DNS server to use
>       for (D)TLS authentication.
>
>    o  What are the acceptable credentials a DNS server can present to
>       prove its identity for (D)TLS authentication based on a given
>       domain name.
>
>    o  How a DNS client can verify that any given credential matches 
> the
>       ‘authentication domain name' for a DNS server.
>
> In fact maybe it would be better to define ‘authentication domain 
> name’ in the terminology an use it throughout?

That would be good, yes. But "obtained" still sounds like it might come 
from the DNS itself, not from configuration or DHCP.

>> Section 4.3.1: "Bootstrapping" is not a widely-understood term.
>
> Really? A quick Google finds RFC4173 from 2005 which has Bootstrapping 
> in the title.

"Pulling yourself up by your own bootstraps" is a difficult idiom for 
people even if English is their first language.

> It would be nice to keep it unless there are general objections as it 
> more accurately describes the specific issue addressed in that 
> section.

In this specific case, it's more "chicken or egg" than "bootstrap" 
because you actually do first use the unsecured DNS. Maybe just 
"Startup" for the title and leave bootstrap in the body text (which does 
describe the problem quite well).

--Paul Hoffman