[DNSOP] Re: [Ext] Re: Working Group Last Call for draft-ietf-dnsop-rfc7958bis

Paul Hoffman <paul.hoffman@icann.org> Mon, 08 July 2024 18:09 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 890D0C1F6C85; Mon, 8 Jul 2024 11:09:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jpVoiyYGON7A; Mon, 8 Jul 2024 11:09:04 -0700 (PDT)
Received: from ppa3.lax.icann.org (ppa3.lax.icann.org [192.0.33.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15052C1F6C99; Mon, 8 Jul 2024 11:08:53 -0700 (PDT)
Received: from MBX112-W2-CO-2.pexch112.icann.org (out.mail.icann.org [64.78.33.6]) by ppa3.lax.icann.org (8.18.1.2/8.18.1.2) with ESMTPS id 468I8qVw013430 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 8 Jul 2024 18:08:52 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Mon, 8 Jul 2024 11:08:51 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id 15.02.1258.034; Mon, 8 Jul 2024 11:08:51 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>
Thread-Topic: [Ext] [DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-rfc7958bis
Thread-Index: AQHazViFv5RZJQqVmkq0uJzy3AFpG7Htnm2A
Date: Mon, 08 Jul 2024 18:08:51 +0000
Message-ID: <FDC4AF8E-A277-49E7-B77B-41BC654B3D30@icann.org>
References: <CADyWQ+EGh2N8tssBRskH=PVXV1e1eON4z=8E1JWPypNUyZVwLg@mail.gmail.com> <SA1PR15MB4370EF76BF8382726844137CB3DD2@SA1PR15MB4370.namprd15.prod.outlook.com>
In-Reply-To: <SA1PR15MB4370EF76BF8382726844137CB3DD2@SA1PR15MB4370.namprd15.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <2CF53329DE77A54FB0EACB24E7C3BE64@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-08_09,2024-07-05_01,2024-05-17_01
Message-ID-Hash: KJFEL2RXZFC2SH3QCGHVVBWA6STWLSUP
X-Message-ID-Hash: KJFEL2RXZFC2SH3QCGHVVBWA6STWLSUP
X-MailFrom: paul.hoffman@icann.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: Working Group Last Call for draft-ietf-dnsop-rfc7958bis
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8uKpsToD_UHldyMg4ewmuEw-e6U>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Jul 3, 2024, at 07:50, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org> wrote:

> Section 1.1
> 
> I like the "assumed and not derived" notion for a "trust anchor", but it's tricky and bears a bit more explanation.  Rather than repeating it in the following sentence, perhaps you could say "the decision to trust this entity is made outside of the system that relies on it".  My point is that "assumed and not derived" requires a certain sort of "horizon" comprising a single "system"; expand the horizon and it is indeed derived.  For example, trust in these DNSKEYs can be derived from the CMS signature, making the ICANN CA the trust anchor, but that process is outside of DNSSEC, so from DNSSEC's perspective the root key is the trust anchor.

This is addressed in the revised draft coming out shortly.

> Section 3.1
> 
> The existence of a protocol called "HTTPS" is controversial in the HTTP world.  I recommend checking with the HTTPBIS chairs or other relevant experts on this point of style.

This can be done during IETF Last Call. I'm hesitant to change this based on opinions that are not instantiated in an RFC.

> Section 3.3
> 
> This section says "cryptographic assurance for the contents of the trust anchor now comes from the web PKI as described in Section 3.2", but Section 3.2 outlines two ways to verify the contents: an attached signature or TLS.  The TLS case looks like the Web PKI, especially since it is not guaranteed to chain to any particular root CA,  but the attached signature does not seem to represent a dependency on the Web PKI.

This is addressed in the revised draft coming out shortly.

--Paul Hoffman