IETF Logo Mail Archive

[DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)

John R Levine <johnl@taugh.com> Sun, 08 June 2025 16:16 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 6EF233262875 for <dnsop@mail2.ietf.org>; Sun, 8 Jun 2025 09:16:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.401
X-Spam-Level:
X-Spam-Status: No, score=-4.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="cECSgQfe"; dkim=pass (2048-bit key) header.d=taugh.com header.b="Tc5OhdPq"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e_236RPgnVZy for <dnsop@mail2.ietf.org>; Sun, 8 Jun 2025 09:16:24 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 090773262870 for <dnsop@ietf.org>; Sun, 8 Jun 2025 09:16:23 -0700 (PDT)
Received: (qmail 66819 invoked from network); 8 Jun 2025 16:16:23 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=104fc6845b757.k2506; t=1749399373; x=1749744973; bh=iWcG3TvXUahZ7P5oyrvT44sujuuDbarb/ZqjYb5oyw0=; b=cECSgQfexlXQGwrwyo8uKYWc8DG2zoWJnRCjkbjdW50K5tBn9BmvRmkuviCF0xI/Sr4dSqJvqgCeDASryNCJmQSzcci/nJS8naBLKcsFargBv+LPK8oRzjBht6dB5q6CbG4ybAnXZ6neALJW1sB8XGy8phPyW36jSNrT3CeP9D7DwRdqDxwznMV8BIcWp8m1kR/WsTY4BJKle95af++7o64XL1hM8rlsk4O4xvuRo+QPDYGpGZcIOyHMGLJ+GRliydaZPV/ZLgde5WiGQ+oOH8+EaEVzEAgz7ByrO2LmgCMr2Z1EMtASSv/zg2rhsC0/wOmrYqIsRF8FxmMQk8Yyag==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=104fc6845b757.k2506; bh=iWcG3TvXUahZ7P5oyrvT44sujuuDbarb/ZqjYb5oyw0=; b=Tc5OhdPqG0AW++NNGNEhIB6/2std4AwIMuCI8k5Y7OFge9WQEU+Yl9Xv+OADiEKbUO3SC29pfd7hGYi00eGAhmuciGUSG8qDTc1xNOvavFWHs4u3t9YhCstA8z0va3R2bBAgNC+aauuNb8AGKe/mLu5x4w0m4y5cqM4YpLkehEk1bpAISm+Uywj2PGDHusTCFhC+ogY/mECCgFopvWQR6j8JoXAhz2igQApb1qNdgkhMxIY4SmYoCqdXLaKeAgELR42uCXUYdTmQHYciGPfkZy18/Ai8qVSYE5b0kEeZXZmF8RYEryDReGmPKggIeDB21MQlENl2MQ09lpwuqjF+Tg==
Received: from ary.local ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 08 Jun 2025 16:16:23 -0000
Received: by ary.local (Postfix, from userid 501) id A8401CD5BF63; Sun, 8 Jun 2025 18:16:21 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by ary.local (Postfix) with ESMTP id 5F757CD5BF45; Sun, 8 Jun 2025 18:16:21 +0200 (CEST)
Date: Sun, 08 Jun 2025 18:16:21 +0200
Message-ID: <fcb3b846-7d2a-c567-2566-ba1614df31fa@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Erik Nygren <erik+ietf@nygren.org>
In-Reply-To: <CAKC-DJh4ck_okAmdssMTfj5iq9X2o_-_Z6MzLQRSfZyjUJ3t6g@mail.gmail.com>
References: <CAKC-DJhS4_1P5Bqu-0YWWr9jkxBOt40rx5804UAUp7DhAsc31g@mail.gmail.com> <40408285-974A-4790-B653-DF4C3798F1E0@nohats.ca> <F7E48A3F-DA2C-4E54-92DA-90CD0EDE78DA@icann.org> <478e1879-93d4-4b0b-a99f-bbdb422bc073@taugh.com> <CAKC-DJh4ck_okAmdssMTfj5iq9X2o_-_Z6MzLQRSfZyjUJ3t6g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Message-ID-Hash: QVEKGUNBUFRW4D6ZQ4XKS4FOSOTHBPN6
X-Message-ID-Hash: QVEKGUNBUFRW4D6ZQ4XKS4FOSOTHBPN6
X-MailFrom: johnl@taugh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "dnsop@ietf.org" <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Persistence of DCV, including for Delegated DCV (for draft-ietf-dnsop-domain-verification-techniques)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bNbR5UBZfwAweRdj5ks6Iq2fnyA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Sun, 8 Jun 2025, Erik Nygren wrote:
> Rather than saying "I authorize this action" in a one-off validation,
> persistent validation is saying "I authorize this User/account"

I don't see a useful difference.  Either way the entity issuing the token 
uses the unique token to identify whatever it is that it wants to verify.

As I said before, I do not see any reason to make any technical changes 
here other than an option for the token to say it does not expire.  We can 
wave our hands about on-path attacker but since I've never seen one 
attacking a validation token, I'm not aware of any practice we can 
describe, and I do not want us to guess.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

v2.31.3 | Report a Bug | By Email | System Status