[DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)

John R Levine <johnl@taugh.com> Sat, 07 June 2025 13:32 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A58313224328 for <dnsop@mail2.ietf.org>; Sat, 7 Jun 2025 06:32:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.401
X-Spam-Level:
X-Spam-Status: No, score=-4.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="T9xizu0Y"; dkim=pass (2048-bit key) header.d=taugh.com header.b="rCLDYCZ2"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aWkKUMe6DBhR for <dnsop@mail2.ietf.org>; Sat, 7 Jun 2025 06:32:22 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4BBB03224323 for <dnsop@ietf.org>; Sat, 7 Jun 2025 06:32:22 -0700 (PDT)
Received: (qmail 42808 invoked from network); 7 Jun 2025 13:32:21 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=a73668443f65.k2506; t=1749303131; x=1749648731; bh=lGPbwT6AgkQfRhIaBQDGCRg9vH6Z6EuzA3bYl0Gz9tw=; b=T9xizu0YMX7Q4aLnDO/Kga9C3I06d73HVZGvMLiZ0KeATXTIt+iYlpbEnNhjwz9RyPzQ6SxOBqUPk28NeueuHMb7P0OTAsoxKnNkYjdvNo/epJLu/04kMMNtPNomOKH9pIy9hOb5ucV0K2sY+SH007+1QuSz1wYAYYQT8HYXOCnRct16fVEqLLFffqH7NFrU1lQwAsrWx6Q57YRDmXAd3hM3LtwoIV2uAG0AonnTmjNlDiI9O8ahU7yWpcEHDYga1yXQmnJaMP77IRCg8RmjcX+8mgTAdIVv2Y/ONkkdfO8zcER8nPMxpHlXTyeutCnP6OzhG4OCeKcYvRWjBYJYoA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=a73668443f65.k2506; bh=lGPbwT6AgkQfRhIaBQDGCRg9vH6Z6EuzA3bYl0Gz9tw=; b=rCLDYCZ2/x74FEEVgMVtmy0EuWC0UWlnHDBCTAQ6qkoSVtw0qWeioMV5+6UwMgcHEmdL5ZTOltJemcQVsSNGhRrXf2yhk5kcoYnFPJHVer6sdnvQDo9OjMXLa8lVZKbIVbvaQpyv5mF5J+wXmh0KxuwGgsEaCa65gmSNo18LNBt/rDEm9mjKu+5ZrzolVcpGPCQZ2DuMpyrNnFVVIiE50ptaQGktOoZYn8zWb9938Y3fB3hRJ1/yPzsgYVWKKxfC27KdrehpuUqvPRkkpDpSG1JguKTiBXInxpho1AKfnsoaAvXavH6U0jdoZSKwStu2TRKIdRP/1aIY9jOifZKG8g==
Received: from ary.local ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 07 Jun 2025 13:32:21 -0000
Received: by ary.local (Postfix, from userid 501) id 275C3CD3CD3F; Sat, 7 Jun 2025 15:32:19 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by ary.local (Postfix) with ESMTP id C2997CD3CD21; Sat, 7 Jun 2025 15:32:19 +0200 (CEST)
Date: Sat, 07 Jun 2025 15:32:19 +0200
Message-ID: <478e1879-93d4-4b0b-a99f-bbdb422bc073@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Paul Hoffman <paul.hoffman@icann.org>
In-Reply-To: <F7E48A3F-DA2C-4E54-92DA-90CD0EDE78DA@icann.org>
References: <CAKC-DJhS4_1P5Bqu-0YWWr9jkxBOt40rx5804UAUp7DhAsc31g@mail.gmail.com> <40408285-974A-4790-B653-DF4C3798F1E0@nohats.ca> <F7E48A3F-DA2C-4E54-92DA-90CD0EDE78DA@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Message-ID-Hash: BNKADHLPCQES7QREWN3EVXCVMPOCVAR7
X-Message-ID-Hash: BNKADHLPCQES7QREWN3EVXCVMPOCVAR7
X-MailFrom: johnl@taugh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "dnsop@ietf.org" <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LDAygc9ejcA_nfni35qgQsqu9Zs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Fri, 6 Jun 2025, Paul Hoffman wrote:
> This is an OK start, but it would be better if the draft covered the actual security issues (on-path attackers) and dealt with time more carefully. Persistent validation doesn't need the token that is needed by the initial validation.

Why not?  Let's say I have three accounts with FooCo and then cancel one 
of them.  It needs something more than "I have some relationship with 
FooCo".

I don't object to documenting on-path attackers but it still seems 
awfully hypothetical.

> The new material still doesn't explain why introducing a new mechanism (intermediaries) should be part of a Best Current Practice RFC.

I agree with that bit.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly