Re: [dns-privacy] [Ext] Roman Danyliw's No Objection on draft-ietf-dprive-unilateral-probing-12: (with COMMENT)
Paul Hoffman <paul.hoffman@icann.org> Tue, 19 September 2023 23:59 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BA14C1522AF; Tue, 19 Sep 2023 16:59:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oR966aBIeTuX; Tue, 19 Sep 2023 16:59:47 -0700 (PDT)
Received: from ppa3.lax.icann.org (ppa3.lax.icann.org [192.0.33.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A741C151064; Tue, 19 Sep 2023 16:59:47 -0700 (PDT)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa3.lax.icann.org (8.17.1.22/8.17.1.22) with ESMTPS id 38JNxdAV021097 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 19 Sep 2023 23:59:39 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.37; Tue, 19 Sep 2023 16:59:38 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.1118.037; Tue, 19 Sep 2023 16:59:38 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Roman Danyliw <rdd@cert.org>
CC: The IESG <iesg@ietf.org>, "draft-ietf-dprive-unilateral-probing@ietf.org" <draft-ietf-dprive-unilateral-probing@ietf.org>, "dprive-chairs@ietf.org" <dprive-chairs@ietf.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "brian@innovationslab.net" <brian@innovationslab.net>, Tim Wicinski <tjw.ietf@gmail.com>
Thread-Topic: [Ext] Roman Danyliw's No Objection on draft-ietf-dprive-unilateral-probing-12: (with COMMENT)
Thread-Index: AQHZ6zlkPtS+X/EESU+/MgWXnItugrAjSZaA
Date: Tue, 19 Sep 2023 23:59:38 +0000
Message-ID: <C2BFFD12-6C91-4433-91B1-0D6F15B3A446@icann.org>
References: <169515596369.29731.2162345695284193885@ietfa.amsl.com>
In-Reply-To: <169515596369.29731.2162345695284193885@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <FE11EA439C24304FB5A388AFE4419E08@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.267,Aquarius:18.0.980,Hydra:6.0.601,FMLib:17.11.176.26 definitions=2023-09-19_12,2023-09-19_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/xapsSg5DYQ_yr34bVxV3iTdgro0>
Subject: Re: [dns-privacy] [Ext] Roman Danyliw's No Objection on draft-ietf-dprive-unilateral-probing-12: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Sep 2023 23:59:52 -0000
On Sep 19, 2023, at 1:39 PM, Roman Danyliw via Datatracker <noreply@ietf.org> wrote: > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you to Rich Salz for the SECDIR review. +1 > > I support Paul’s DISCUSS positions. We will respond to those in a separate message. We're working on that now. > > ** Section 4.6.3.4 > Because this probing policy is unilateral and opportunistic, the > client connecting under this policy MUST accept any certificate > presented by the server. If the client cannot verify the server's > identity, it MAY use that information for reporting, logging, or > other analysis purposes. But it MUST NOT reject the connection due > to the authentication failure, as the result would be falling back to > cleartext, which would leak the content of the session to a passive > network monitor. > > What verification is expected? We don't know. It was pointed out in the WG discussion that some PKIX libraries do different types of verification regardless of what you want them to do. > When might it trigger “reporting, logging or > other analysis”? This appears to be library-specific (and probably changes over time as wel...). > I ask because the text seems to unambiguously say all server > certificates must be accepted and then again that no connections can be > rejected. Yes, exactly. Even if you can't stop your library from verifying, you must be able to ignore the verification failures. --Paul Hoffman
- [dns-privacy] Roman Danyliw's No Objection on dra… Roman Danyliw via Datatracker
- Re: [dns-privacy] [Ext] Roman Danyliw's No Object… Paul Hoffman
- Re: [dns-privacy] [Ext] Roman Danyliw's No Object… Paul Wouters
- Re: [dns-privacy] [Ext] Roman Danyliw's No Object… Paul Hoffman
- Re: [dns-privacy] [Ext] Roman Danyliw's No Object… Peter Thomassen
- Re: [dns-privacy] [Ext] Roman Danyliw's No Object… John Levine
- Re: [dns-privacy] [Ext] Roman Danyliw's No Object… Paul Wouters