IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons

Paul Hoffman <paul.hoffman@icann.org> Wed, 06 January 2021 22:09 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BACD3A133A for <dnsop@ietfa.amsl.com>; Wed, 6 Jan 2021 14:09:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id prN99rojK9pr for <dnsop@ietfa.amsl.com>; Wed, 6 Jan 2021 14:09:46 -0800 (PST)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 891513A1332 for <dnsop@ietf.org>; Wed, 6 Jan 2021 14:09:46 -0800 (PST)
Received: from MBX112-W2-CO-2.pexch112.icann.org (out.mail.icann.org [64.78.33.6]) by ppa4.dc.icann.org (8.16.0.42/8.16.0.42) with ESMTPS id 106M9imU027198 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 6 Jan 2021 22:09:45 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.721.2; Wed, 6 Jan 2021 14:09:43 -0800
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0721.006; Wed, 6 Jan 2021 14:09:43 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: Eric Rescorla <ekr@rtfm.com>
CC: dnsop <dnsop@ietf.org>
Thread-Topic: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons
Thread-Index: AQHW2iK2rfUUDm/KeUelowK7yn3CSKoIyneAgAhMdACAAANcgIABNPEAgAAFwYCAATXPAIAABD6AgAASRACAAAxFgIAEPoEAgAAZtICAABZjgIAAEf0AgAAKiwCAAAQagIABDUMAgAFEeQCAALvYgIAAUEeAgAAajwCAAALjAIAACIgAgAACfoA=
Date: Wed, 06 Jan 2021 22:09:43 +0000
Message-ID: <EF7F45C8-0C34-4DF6-A861-6C109A0A6691@icann.org>
References: <CADZyTkn1QuvjencR8+wVtQ9bzQHJT9JXXNku1LPr3YRmRt4KQg@mail.gmail.com> <CABcZeBMr5Muijx5V7Se1UcxTB9DbAzF1iXZb7_FzEGfw982x8w@mail.gmail.com> <65e3288d-bdfe-ff10-2fbc-63a5d2dd9508@cs.tcd.ie> <797AAE77-2D50-4189-81D8-44BA495146F5@icann.org> <546e60c6-b109-8552-dfb4-7d3ba2ecbc71@cs.tcd.ie> <E58B4013-9491-43ED-83C9-250FF7647570@icann.org> <0746397c-ed85-429c-ff6e-a4a559520e86@cs.tcd.ie> <487928351.1557.1609759876775@appsuite-gw1.open-xchange.com> <60ba1f68-b07f-7a06-539f-60ce442ffbff@cs.tcd.ie> <195eb4c7-306f-97e1-b0df-f6678ebe732@nohats.ca> <ebb27f27-a243-67cd-2b5c-d2ecea741942@cs.tcd.ie> <24505bb1-cf40-25a7-337c-9b50fedfedc1@nohats.ca> <98299ffc-056b-16ee-1929-78543f5ec6d5@cs.tcd.ie> <F66DA99B-910E-4324-895D-F617B447612F@gmail.com> <CAHbrMsAqNXENeP2AdkEs7OC+YL6_z9VU89B7mNu3qOFBc7PQ=A@mail.gmail.com> <3a914ab5-2744-cec0-bbc8-bf39ec64a051@nohats.ca> <CAHbrMsDAMsXzAhcu35_GqL54JNF2jO-HhYWEZyE2VLP=V8dN5A@mail.gmail.com> <47a8a8df-c4d8-78e-ec5e-cfdc6daea130@nohats.ca> <BE8EEAE6-A33A-41FF-908E-821FB3850422@icann.org> <CABcZeBNi=RzB6=Yz2oXsjqvo30d9bqDYeicp0==K65iJ8E9qGg@mail.gmail.com>
In-Reply-To: <CABcZeBNi=RzB6=Yz2oXsjqvo30d9bqDYeicp0==K65iJ8E9qGg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_AA9DD302-C061-4A24-B837-BBE2B96A7915"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2021-01-06_12:2021-01-06, 2021-01-06 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RgU0CNl9Wq6EV1Qp_0ebEEEZFqc>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-hoffman-dnssec-iana-cons
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jan 2021 22:09:48 -0000

On Jan 6, 2021, at 2:00 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> This is not strictly correct: TLS allows both the client and the server to advertise their supported signature algorithms, which can be used by the peer to guide certificate selection.

Fair point. However, if the TLS client says "I support only $x and $y", that does not change how the TLS server chose the algorithm in its certificate in the past, only what to do if it happens to have multiple certificates with different algorithms, which seems rare. Ben's proposal leans way over towards everyone having to agree ahead of time. 

--Paul Hoffman

v2.23.0 | Report a Bug | By Email