Re: [Doh] [Ext] A question of trust (was Re: Draft -09 and WGLC #2)

Mateusz Jończyk <mat.jonczyk@o2.pl> Thu, 31 May 2018 18:17 UTC

Return-Path: <mat.jonczyk@o2.pl>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65B84129515 for <doh@ietfa.amsl.com>; Thu, 31 May 2018 11:17:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5X4pqesPtPte for <doh@ietfa.amsl.com>; Thu, 31 May 2018 11:17:40 -0700 (PDT)
Received: from mx-out.tlen.pl (mx-out.tlen.pl [193.222.135.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80D4812E876 for <doh@ietf.org>; Thu, 31 May 2018 11:17:40 -0700 (PDT)
Received: (wp-smtpd smtp.tlen.pl 20844 invoked from network); 31 May 2018 20:17:38 +0200
Received: from ackl73.neoplus.adsl.tpnet.pl (HELO [192.168.1.22]) (mat.jonczyk@o2.pl@[83.10.87.73]) (envelope-sender <mat.jonczyk@o2.pl>) by smtp.tlen.pl (WP-SMTPD) with ECDHE-RSA-AES256-GCM-SHA384 encrypted SMTP for <doh@ietf.org>; 31 May 2018 20:17:38 +0200
From: =?UTF-8?Q?Mateusz_Jo=c5=84czyk?= <mat.jonczyk@o2.pl>
To: DoH WG <doh@ietf.org>
References: <CA9BEE64-9F16-4CCC-A1E0-4C7FD45C455C@icann.org> <20180528161043.GB12038@mx4.yitter.info> <CABkgnnV3kKFCzKLfPf_0WZh95jr2vEt652Rb4EozfqROCVsJdA@mail.gmail.com> <CAOdDvNrPU9WM3WgcX1AVF39D3bGdxCKgPAF_afhfv2Qt0pZR5g@mail.gmail.com> <DB7D40D6-455A-48DD-AB98-DF2CF0866222@sinodun.com> <CAOdDvNopKvs18jQizgyiAQq8UyB4GwdqyXfXPa+25pNrxWg8pA@mail.gmail.com> <20180530143833.GB3110@mx4.yitter.info> <197F1CB0-DFA5-4720-94E0-223D708B0D79@icann.org> <3920ACC9-D167-4E2C-88E7-7A2AB317EA16@sinodun.com> <33BE0098-C168-4B75-9B8F-D31AB45749AA@icann.org> <20180531151151.GA3060@mx4.yitter.info> <54C8B3CF-55EF-48F9-87FD-A38913D2C4FB@icann.org>
Openpgp: preference=signencrypt
Message-ID: <94972b71-49ec-619a-b6dd-4822a7725e28@o2.pl>
Date: Thu, 31 May 2018 20:17:30 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <54C8B3CF-55EF-48F9-87FD-A38913D2C4FB@icann.org>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="i8jFucaf9SRBQTQmsBmLMDBQSiN2ph9AU"
X-WP-MailID: 4f3197d8a969cfa838b0225b45a0733a
X-WP-AV: skaner antywirusowy Poczty o2
X-WP-SPAM: NO 000000A [ofN0]
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/TbgaHwCIUn-_HXNIlMy5ADUHGlo>
Subject: Re: [Doh] [Ext] A question of trust (was Re: Draft -09 and WGLC #2)
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 May 2018 18:17:44 -0000

W dniu 31.05.2018 o 17:18, Paul Hoffman pisze:
> Thanks, this does make it clearer. Proposal: move this sentence:
>    Configuration and discovery of the URI Template is done out of band from this protocol.
> up to before the first use of the word "configuration", 
> and change it to:
> 
> Configuration, discovery, and updating of the URI Template is done out of band from this protocol. Note that configuration might be manual (such as a user typing URI Templatess in the UI for "options") or automatic (such as URI Templates being supplied in responses from DHCP or similar protocols).
> 
+1 to general idea.

I think that this sentence should follow the first sentence in the section
"Selection of DNS API Server" and be slightly modified:

	A DNS API client uses configuration to select the URI, and thus the DNS
	API server, that is to be used for resolution.
	Configuration, discovery, and updating of the URI is done out 	
	of band from this protocol. Note that configuration might be manual
	(such as a user typing URI Templates in the UI for "options") or
	automatic (such as URI Templates being supplied in responses from DHCP
	or similar protocols).

	[RFC2818] defines how HTTPS verifies the DNS API server's identity.


> Is this sufficient?
> 
> --Paul Hoffman
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>