Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by ietfa.amsl.com (Postfix) with ESMTP id 64167C1E5913
	for <dnsop@ietfa.amsl.com>; Mon,  8 Jul 2024 11:08:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level: 
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001,
	SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01]
	autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194])
	by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id gSPem52ZGNU1 for <dnsop@ietfa.amsl.com>;
	Mon,  8 Jul 2024 11:08:59 -0700 (PDT)
Received: from ppa4.dc.icann.org (ppa4.dc.icann.org [192.0.46.77])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ietfa.amsl.com (Postfix) with ESMTPS id AA1EAC1F45B6
	for <dnsop@ietf.org>; Mon,  8 Jul 2024 11:08:47 -0700 (PDT)
Received: from MBX112-W2-CO-2.pexch112.icann.org (out.mail.icann.org
 [64.78.33.6])
	by ppa4.dc.icann.org (8.18.1.2/8.18.1.2) with ESMTPS id 468I2gde020619
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Mon, 8 Jul 2024 11:02:42 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by
 MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1258.34; Mon, 8 Jul 2024 11:08:45 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by
 MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id
 15.02.1258.034; Mon, 8 Jul 2024 11:08:45 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: John R Levine <johnl@taugh.com>
Thread-Topic: [Ext] [DNSOP] Re: Working Group Last Call for
 draft-ietf-dnsop-rfc7958bis
Thread-Index: AQHayz1kIj9EWBf6FESgVX+wqt6mW7HtopyA
Date: Mon, 8 Jul 2024 18:08:45 +0000
Message-ID: <FA9FC0A4-1103-4464-9E19-86B36FE27DD4@icann.org>
References: 
 <CADyWQ+EGh2N8tssBRskH=PVXV1e1eON4z=8E1JWPypNUyZVwLg@mail.gmail.com>
 <879F4E56-9939-4C57-A597-9BB113F92C0D@iana.org>
 <E58B1C4D-1DB0-4123-9C91-02E7FDC6D6EB@icann.org>
 <0bc64fd0-0031-4ca2-b722-ad0d585ea686@taugh.com>
In-Reply-To: <0bc64fd0-0031-4ca2-b722-ad0d585ea686@taugh.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <FC2EA41EB3C6A649BDBD4434DE4E9F7D@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16
 definitions=2024-07-08_09,2024-07-05_01,2024-05-17_01
Message-ID-Hash: T5ILCDX3SRDQUSX54JLCRYYO3UYDBWNI
X-Message-ID-Hash: T5ILCDX3SRDQUSX54JLCRYYO3UYDBWNI
X-MailFrom: paul.hoffman@icann.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: =?utf-8?q?=5BDNSOP=5D_Re=3A_=5BExt=5D_Re=3A_Working_Group_Last_Call_for_draf?=
 =?utf-8?q?t-ietf-dnsop-rfc7958bis?=
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/dnsop/lJoBcA2wyssBje-DZ97GNkWRY8Y>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Thanks for the comments. They are all addressed in the revised draft coming=
 out shortly.

--Paul Hoffman

On Jun 30, 2024, at 15:31, John R Levine <johnl@taugh.com> wrote:
>=20
> I took a look and didn't find anything particularly troubling.  I agree t=
hat adding the new optional DNSKEY element doesn't need a version number. G=
etting rid of private certificates in favor of a CA signed cert for the HTT=
PS server makes sense.
>=20
> On the other hand, I don't understand what the point of the new optional =
DNSKEY field in the XML is.  I see that IANA does not currently include it.
>=20
> It's always been possible to retrieve the DNSKEY records from the live ro=
ot and check that one of them matches the digest in the XML.  Is this to pr=
ovide a way to remember the old DNSKEYs that have been rotated out of the r=
oot?  A sentence or two describing the motivation would help.
>=20
> The third paragraph of section 3.2 describes a detached CMS signature. Wh=
ile I realize it's there in 7958, I don't see how it provides any security =
at all.  It's signed with an ICANN private key but there's no way I can see=
 to tell the "real" ICANN CA from one that I just made up to sign my fake X=
ML.  The useful security is the accredited CA signed HTTPS certificate desc=
ribed in the following paragraph, so I'd take the CMS signature out or at l=
east note that it's trivial to defeat unless you have external knowledge ab=
out ICANN's private CA.
>=20
> Regards,
> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY