Re: [DNSOP] [Ext] Roman Danyliw's Discuss on draft-ietf-dnsop-rfc5933-bis-12: (with DISCUSS and COMMENT)
Roman Danyliw <rdd@cert.org> Tue, 29 November 2022 03:10 UTC
Return-Path: <rdd@cert.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77B91C14CF0B; Mon, 28 Nov 2022 19:10:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3QaFMgofudFu; Mon, 28 Nov 2022 19:10:26 -0800 (PST)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0730.outbound.protection.office365.us [IPv6:2001:489a:2202:d::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24CDFC14CF04; Mon, 28 Nov 2022 19:10:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=Jjkmy+Du9yajGirNoiflLBTGE4OLmdojUCWrKcFeoHIDodzXylZMpN/Pa9WL2dMBf6dQsuG1bh9LYovvrR+sPYliuhWTVjeEV/SwPcG/ngdSudgkRklqUwQjccH26xeqO3eNQQEaBo9jr9L+yArd7ybl8pvzKTqcCHxF4ymAm9X+JY7QGOk2Lgl/1NOPBIoL9wqcRYt6sz4/h7CHUXh2aSGsAbuSHZmA6h24EYVBBkXXXnITpIXkvZHHI7moOaLCd3ubeYMMvrwZdzgora/1g2KacKqV5x6I78mlPN6rBlI1psSF7K0fgTQX8WpPv/KklGpzBrAi9Tfyf2uG+TL9xA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UkfP/pwpP/dFaeY7A5RTIN93DWwQ1ZjUznOhVb6CD6M=; b=OG7WkUA/2ynFt2eEt4nRHeTEwom8QBnU/UNXqygv2hLyM05O6i4I/IQe0EyqjTgiLaNPoKSl8QlK6hBpdqcSQZ+WQiDpJvne+ojDeGYe1mfVVq/BcPDRsfjJdeWULyRvZSiNWSl7XtuIPSaAr6YLAcYX9uoAM8zkVIqNg46YT4VGw6CUp1QNT3QzJQcZXyqfN8/dEbbd0sV2MjoAl9706OwtBk5nO9r6JOnADFMLJAOsA1qbCQD9F4PpAOCyNXNtpgsrEpPA+zP1DqZ5zSEpJEVH0uhPNyHo7pVsn/CzaGMSn7jhNhQD+s45Z07Dr3LVcE/XS/4YvNzQ4y5HwQct6Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UkfP/pwpP/dFaeY7A5RTIN93DWwQ1ZjUznOhVb6CD6M=; b=ewwC+a5SlmeDx+g6yoY2fNJx7LYA6eJE1l0yoEmF801i6O1byt4xOYlyhKGhlaMNf5fYn7As1keUwGWKAobodEEdO/tbJafKS43Gv3hQf9zPsfu7gG6lJCLFwdeILgFgFOc2LW2eiWGHcF966xL/N1VsYz5Hx8l9A5NAUuRdK9U=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1058.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:16a::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5834.15; Tue, 29 Nov 2022 03:10:17 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::d58d:767f:87a0:2a7a]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::d58d:767f:87a0:2a7a%5]) with mapi id 15.20.5834.021; Tue, 29 Nov 2022 03:10:16 +0000
From: Roman Danyliw <rdd@cert.org>
To: Paul Hoffman <paul.hoffman@icann.org>
CC: The IESG <iesg@ietf.org>, "draft-ietf-dnsop-rfc5933-bis@ietf.org" <draft-ietf-dnsop-rfc5933-bis@ietf.org>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Tim Wicinski <tjw.ietf@gmail.com>
Thread-Topic: [Ext] [DNSOP] Roman Danyliw's Discuss on draft-ietf-dnsop-rfc5933-bis-12: (with DISCUSS and COMMENT)
Thread-Index: AQHY+tjQjW0rDdVnqUu3E3bt72S0mq5DzWcAgBFpDmA=
Date: Tue, 29 Nov 2022 03:10:16 +0000
Message-ID: <BN2P110MB1107861602A64A0FBA66DA2CDC129@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <166872616356.62441.7369642343155654553@ietfa.amsl.com> <C9144B93-343D-4F9C-8316-B17E3421C286@icann.org>
In-Reply-To: <C9144B93-343D-4F9C-8316-B17E3421C286@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1058:EE_
x-ms-office365-filtering-correlation-id: f3b3dcf9-9952-4009-d19d-08dad1b73d87
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: cjcjuIM7pR/Sr5WvJpX2HsZXcTccSxJB+PV1NOxh9yAO63QNJG5Sj3p6NiP5ZLMlBXPzsJ3UEov8KOgrrccCP6CNr4n71rm5mMDHruaGe/CxbFZ86Lamc1ONjKv76PdD6cngCgthrCP8yqra8rSiGW1SAKgsKQx/ydgeI2oQQodd+sx3T/Cil+W9/e/k8HXGSHj7us4VSVshguRrPgxK6xGLGlmLprrv7h5DWEdgRPjJTuQWIjx8YGdfUntsbHwGsyV+n9stIkbYC8OOIR8TlznSj+kSn+e+BMe/zy3r1FifNqqCSMiUU9DNscZmaUsD0thwkrLBkZmfsmMZxHF0J+GJAPtkSvi3ccB6qZQ8NeR7rOKQZQ2vgTOzZk4TE1q0S+dbfoUstgSUICs+4u9Crohuq16hpLM4OEeSy1YUuZSPKiS7+9QjaCutyREbMDx8/ACM0tCAbkmsCI95qPI/pLQJ9fNMQ6zR+WIAjr+L79PkEsMIpeIzRqwvj2Bi+6clTlDq8HsclFcYe71Xy9Cg4rtr1yhuKzki55pV1++E16mt1w9JF+7hqKWqUDcCbDXYMp6SAD1iCDPcveAeOgY1Q/1Fq2TtiZw75c+wQS+Ca4PYng98EW1rB7ni1XwqRA9wTLak47LJXPe9vE2YtmAVKJM9pxzJb4mDsl/CuBx2wA+u4VW33KxMWLseR6pBkV8R
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(136003)(396003)(39830400003)(366004)(451199015)(186003)(122000001)(41300700001)(55016003)(8936002)(8676002)(86362001)(2906002)(4326008)(66556008)(66476007)(64756008)(83380400001)(82960400001)(66446008)(76116006)(33656002)(66946007)(6916009)(41320700001)(54906003)(5660300002)(71200400001)(52536014)(38070700005)(508600001)(6506007)(9686003)(7696005)(53546011)(38100700002)(26005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: WdIGBIX3f1Rn51bmg91lQHraYS6SuXXRzX4TAfIHq7sRKkI9ucTxmejd9Y8eua1Nx/Ngh/plm3vaP48xB8HxqEaOaTRIbtyvwWQ/V5CzuK9McWNXaFlWLuc0JwYonBcaCjxHUUuCSxX1XKCCQoh+Sef5wHVvRDyGzYCroTFcwBDSoD9S+Ao7+Z24iCi7JJ8NrycNP3xs7AxKoU/OSsFjl5TSKLVIwnLxTvSJtBmQeqEr7Fmntwvy3KfYNioLKZEBxKkSsMa9kHaVpnVYQnpIZZ+X65aj9Nc5Q5UBvOybbW8mm3jfMhN1kPxcOczVDqKPSt+HrQqUUvqtD0XaXpuungKxOZ7ELH/hvPvfHH5JacTCF7zd9imctqEnjWz8hXK4Y7F6s/hOKkybNkfcjJ1XSB0NFX68g6ahLCcs8UCrUTOo+8ET7VIqzXtnTVgsAsAW9+nwR9IT1+pNW+ShRta4kx+PVzoIlrZNjiZbbQufS6ShQAYSohMa6SEpakYSfgWCyVeOpAlHZwSqrl5PPYILw+kwMNRFUuIPdM7NYAODqCxnzkcE+qkcV/oAJ80VdF90eSYU9EZRh2CnngKNIjTjmUbV/5zwsNp0YboRsA8zxZbnVp26Sm9A6CEHVc8a3jFUXFmPYLJIMRkIRGFm09W/yZUyMfy2/sPFPJRCRCVlZrIcAJw9KX3MxvZq7jw35hUYgxmxb4PaaOvEYCY5wbLCHO9bCt36KmXQac+dle/KN+sT/xoWf3ShYG5pBPKgnVETZhMS6sPC2e1sRY9fzTRi4DMoTkF1Rx5Br4dSCehRtE11+j9po8HePPyDHGs0FlJQpzikVviZ6h9IHAZvZ8nS54W/Q08tGxJbReirBXvSKOZyagiQhpGntxpyTAlFb3I3z5Im0CgEV3S4miuFfVWpyTKlSJrWdP8AyliviOnTiwuPjXF7FXoKtZOCvwJWJrrb0j8dvHbFQCdyjabwQX/RsJCLKle0HsXxxBlRJViocudg46dTkGePXN/NADCY5zpe/iF7IEsJf6RATlaehok6xooBLBwgZ9hEqKBqrBgtAcqd1uT6qXitutpvMXLRoziWYuzqhD/0/E9UOsGfZ/XWGYJDwXQ2EsKykZKqNdHx1nPNdjFfhawyy7hPSiphGX4bAYZVOwCy5ZjTdY5uQzpvC3wmKvL/DwAF5D4Ut6oAxf3A0QWNpRObtPl6ucBVgLK12wm4TZtfrRuAzjtLHQw/Hi8dyU2DqzjSjeImAQGtUF3OvCcJ4AluK2i5/j9MhsZmaIKQIFy7sCEU+oz1B3XxDwdoH4z757QpzUXu4GD9ruNaPKKaXDjTkJgGZqybSMp9ZlnnZTg3JgoPCn3FXpoQtnw9PqNrMriVX96aqZi0p/W72U8gXxOX8wngjeU/bwdprYf5UTL4EPMlE9TTKuF4XLNqr2Tm7PAHHpy6zRMwYLgFM6RT71MLlapxpcC5ldT/O/8tOh78x83Qz0N8SakTCRiqXuG2YCkXAe/UHufbgc0=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: f3b3dcf9-9952-4009-d19d-08dad1b73d87
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Nov 2022 03:10:16.7409 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1058
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XZoakWUDruPXylJ2wLIS4l4vevo>
Subject: Re: [DNSOP] [Ext] Roman Danyliw's Discuss on draft-ietf-dnsop-rfc5933-bis-12: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2022 03:10:30 -0000
Hi! > -----Original Message----- > From: iesg <iesg-bounces@ietf.org> On Behalf Of Paul Hoffman > Sent: Thursday, November 17, 2022 7:06 PM > To: Roman Danyliw <rdd@cert.org> > Cc: The IESG <iesg@ietf.org>; draft-ietf-dnsop-rfc5933-bis@ietf.org; dnsop- > chairs@ietf.org; dnsop@ietf.org; Tim Wicinski <tjw.ietf@gmail.com> > Subject: Re: [Ext] [DNSOP] Roman Danyliw's Discuss on draft-ietf-dnsop- > rfc5933-bis-12: (with DISCUSS and COMMENT) > > On Nov 17, 2022, at 3:02 PM, Roman Danyliw via Datatracker > <noreply@ietf.org> wrote: > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > The IETF has steered away from publishing protocol mechanisms with > dependencies > > on national cryptography as we do not have the ability to validate their > > security properties ourselves. IETF stream documents typically rely on > > documents published in the Crypto Forum Research Group (CFRG) [1]; an > open and > > peer-reviewed vetting process; or a review by the IRTF Crypto Panel [2] to > give > > us confidence in cryptographic algorithm choices. Since the described GOST > > mechanism doesn’t fit into these vetting criteria and the WG (based on the > > shepherd’s report) has not provided alternative analysis, it is not appropriate > > to publish this document in the IETF stream. > > [snip] > It feels like this DISCUSS ballot is asking for a non-IETF-stream RFC to obsolete > an IETF-stream RFC. Yuck. Instead, it might be better to publish this in the IETF > stream; separately, the IESG could then publish a statement that future > national algorithm documents should not come through the IETF stream. I agree that we need to be careful on what a non-IETF stream document would do to an IETF-stream document. As a counter proposal, I would recommend that we use the flexibility afforded by RFC6014 and RFC9157 to address our current situation, and split the document. The document has several components: (a) Specification of and guidance for new DNSKEY and RRSIG behavior using GOST R 34.10-2012 and GOST R 34.11-2012 (i.e., Section 2 - 6, 9) (b) Guidance to obsolete/update previous RFC5933/RFC8624 behavior per (a) (i.e., Section 7, 8) (c) Request new IANA registry entries for (a) (i.e., Section 10) (d) Request updates to IANA registries to deprecate older GOST code points specified by IETF-stream documents (i.e., Section 10) Components (a) and (c) could be extracted from this document and added to a new document published by the ISE. This text is the new national crypto that the WG cannot render judgement on per my DISCUSS. The remaining text, components (b) and (d), would be the reduced draft-ietf-dnsop-rfc5933-bis document and would reference this new ISE document with the appropriate caveats on the confidence the WG in this new ISE reference. This reduced draft-ietf-dnsop-rfc5933-bis document would be the compromise where an IETF-stream document is needed to redefine previously specified behavior so that an ISE-stream document wouldn't have to obsolete an IETF-stream one. If (when) GOST R 34.10-2012/GOST R 34.11-2012 is superseded (and assuming it remains national crypto), algorithm revisions can be handled entirely by the ISE. Regards, Roman
- [DNSOP] Roman Danyliw's Discuss on draft-ietf-dns… Roman Danyliw via Datatracker
- Re: [DNSOP] [Ext] Roman Danyliw's Discuss on draf… Paul Hoffman
- Re: [DNSOP] [Ext] Roman Danyliw's Discuss on draf… Roman Danyliw