Re: [DNSOP] Prefixed name spaces and DANE client TLSA
George Michaelson <ggm@algebras.org> Wed, 13 January 2016 06:59 UTC
Return-Path: <ggm@algebras.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DCBD1A8844 for <dnsop@ietfa.amsl.com>; Tue, 12 Jan 2016 22:59:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JeCpt8oogx0F for <dnsop@ietfa.amsl.com>; Tue, 12 Jan 2016 22:59:34 -0800 (PST)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B0EF1A884F for <dnsop@ietf.org>; Tue, 12 Jan 2016 22:59:34 -0800 (PST)
Received: by mail-qk0-x233.google.com with SMTP id t64so32092166qke.1 for <dnsop@ietf.org>; Tue, 12 Jan 2016 22:59:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=HUJzh64hkZaUBYXT43k7knk1jopE/7paUeSdagzvajU=; b=PxTlDgnu3oH8IXDW6UmRB6ZeTwQnha69xEaZG7eTFAhNuzUg/oHAweWoaJVyZrB/vF tlbaplnIQxUXbbzyszaST+885Aer7bk4B5Lv1Kn1NHs4pXNPokBQ0SssGYYfgeOVKOH+ IDPJUhscXE8wAXHC3JPSj0HQ6sU2HuidPuivOttldCpqHQ1kUZTsqqerxA5YwJyEejMi mh5I9PUscQlwzstIgemqoCRWec8Ve5zi6YuQcJtUg9mMcqXRGWi8mnj1Zx88D2jRVAQY EWdGjOvP68mP1CQ8WRVGWcPi5KiNy+p5SNh2/erF1bSO0QCcz+QUDLM7l9lrrypmG8m0 yaxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=HUJzh64hkZaUBYXT43k7knk1jopE/7paUeSdagzvajU=; b=gc3msOYz7yhmCXFi5HnbdP7UChGSvLvMmVLuuprjf6aqNcK9KbrSSWZH1L5nkJ7pKA Au97Zr4rqXlMfOOjHIs5Tz6bjzFU3i9IF34HHYVIOBvgX0qw4PpmDCyCSTpaBjvFxiDX hQXIMMjYifcSplOVbe2r8UvNZyr9IUepZv3x+wwUsNJu/YqiShfFvf+HLuPBKUi0n2oh xkQjfrihF6KrsWd7neYL3PFwbHAm+2v4xcfmE3QGgxtWSVFVrbEMgOpU4tgxXTG75oY1 y3pevAa5pc+0jHXLKajwsMXhQU4/U74iFCWFldCQ8BC2pjvEBBTvKIJ9vcosY0h3MKMZ HHqg==
X-Gm-Message-State: ALoCoQm3CFtCe0HSCRr1JR26QQQAfYeaSAh0CKSBtjZ8vmlCr0HVVZcNFkRXHelo9y19xACORvc1OBX5S3iX2nKdyhI9jNcs0w==
MIME-Version: 1.0
X-Received: by 10.55.74.209 with SMTP id x200mr176074304qka.106.1452668373568; Tue, 12 Jan 2016 22:59:33 -0800 (PST)
Received: by 10.55.103.214 with HTTP; Tue, 12 Jan 2016 22:59:33 -0800 (PST)
X-Originating-IP: [2001:dc0:a000:4:8db5:2958:78f2:871c]
In-Reply-To: <20160113055505.54822.qmail@ary.lan>
References: <20160113055505.54822.qmail@ary.lan>
Date: Wed, 13 Jan 2016 16:59:33 +1000
Message-ID: <CAKr6gn2-NqnWtaHRsrOGS-5xs-h6K3Swd----_VTL8vHpwXF7Q@mail.gmail.com>
From: George Michaelson <ggm@algebras.org>
To: John Levine <johnl@taugh.com>
Content-Type: multipart/alternative; boundary="001a114a885c62271d052931b68d"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/Ou8q4u_NM5mRm1oLPAnmh8bej8g>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Prefixed name spaces and DANE client TLSA
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 06:59:37 -0000
I think the mapping of SMTP (a protocol, an over-the wire framing and dialogue about exchanging mail) has been crossed (crossing-the-beam crossed) with a ROLE. a client can be an SMTP speaker, and a forwarder/delivery agent can be an SMTP speaker. They aren't performing the sale role. So does DANE want to identify the ROLE being performed or the protocol being used to do it? How would DANE feel if instead of SMTP it said DECNet-Mail? The sub-domain thing, is that a real zone-cut? Are there detectable zone boundaries? Or is this mapping dot-separated elements but without implying a zone-cut? -G On Wed, Jan 13, 2016 at 3:55 PM, John Levine <johnl@taugh.com> wrote: > I'm having what seems to me a very peculiar argument over in DANE. > > There's a draft called draft-huque-dane-client-cert-02 about > validating SSL certificates for client hosts. The idea, which seems > reasonable, is that if an SMTP or other client presents a TLS > certificate claiming that it's outbound.example.com, the server it's > talking to can look up a TLSA record to see if the certificate is > valid, analogously to the way a client looks up the server's TLSA. > > What's peculiar is the names. The previous proposal was to look up a > TLSA at _smtp.outbound.example.com, then somone noted that _smtp is > for servers, so they want to look up the newly invented name > _smtp-client.outbound.example.com. If you have a client for some > other service, you make up a name. (Read the draft if this seems like > an implausible summary.) > > I suggested they could avoid a lot of future name collision pain by > registering "client" as a pseudo_service name, and then looking up > _smtp._client._tcp.outbound.example.com. If your client is using > another service, you use the service's name from the existing registry > of services instead of _smtp, e.g., _imaps._client.tcp.myhost.example. > > The DANE crowd thinks this is a terrible idea, it's too complicated, > makes the SRV-ID verification harder, name collisions won't happen > and/or are easily solved. Am I missing something, or are they? > > Signed, > Confused > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- Re: [DNSOP] Prefixed name spaces and DANE client … George Michaelson
- [DNSOP] Prefixed name spaces and DANE client TLSA John Levine
- Re: [DNSOP] Prefixed name spaces and DANE client … Shane Kerr
- Re: [DNSOP] Prefixed name spaces and DANE client … Tony Finch
- Re: [DNSOP] Prefixed name spaces and DANE client … Shumon Huque
- Re: [DNSOP] Prefixed name spaces and DANE client … John R Levine
- Re: [DNSOP] Prefixed name spaces and DANE client … Ray Bellis
- Re: [DNSOP] Prefixed name spaces and DANE client … John Levine
- Re: [DNSOP] Prefixed name spaces and DANE client … Ray Bellis
- Re: [DNSOP] Prefixed name spaces and DANE client … John Levine
- Re: [DNSOP] Prefixed name spaces and DANE client … Ray Bellis
- Re: [DNSOP] Prefixed name spaces and DANE client … Shumon Huque
- Re: [DNSOP] Prefixed name spaces and DANE client … Tim Wicinski
- Re: [DNSOP] Prefixed name spaces and DANE client … John R Levine
- Re: [DNSOP] Prefixed name spaces and DANE client … John R Levine
- Re: [DNSOP] Prefixed name spaces and DANE client … Shane Kerr
- Re: [DNSOP] Prefixed name spaces and DANE client … Rob Austein
- Re: [DNSOP] Prefixed name spaces and DANE client … John Levine
- Re: [DNSOP] Prefixed name spaces and DANE client … Shumon Huque
- Re: [DNSOP] Prefixed name spaces and DANE client … Shumon Huque
- Re: [DNSOP] Prefixed name spaces and DANE client … John R Levine
- [DNSOP] Client/server vs. other models (was: Pref… Shane Kerr
- Re: [DNSOP] Prefixed name spaces and DANE client … James Cloos
- Re: [DNSOP] Prefixed name spaces and DANE client … John Levine