[Doh] [Editorial Errata Reported] RFC8484 (6708)

RFC Errata System <rfc-editor@rfc-editor.org> Thu, 14 October 2021 01:29 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BE993A1720 for <doh@ietfa.amsl.com>; Wed, 13 Oct 2021 18:29:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a4THYdWnp8D7 for <doh@ietfa.amsl.com>; Wed, 13 Oct 2021 18:29:40 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D51473A171E for <doh@ietf.org>; Wed, 13 Oct 2021 18:29:39 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 499) id 053C11FD730; Wed, 13 Oct 2021 18:29:39 -0700 (PDT)
To: rfc-editor@rfc-editor.org
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: mt@lowentropy.net, paul.hoffman@icann.org, mcmanus@ducksong.com, doh@ietf.org
Content-Type: text/plain; charset=UTF-8
Message-Id: <20211014012939.053C11FD730@rfc-editor.org>
Date: Wed, 13 Oct 2021 18:29:39 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/sKVv0e-7qRCI_Jxk0TUD6XBfnhE>
Subject: [Doh] [Editorial Errata Reported] RFC8484 (6708)
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Oct 2021 01:29:44 -0000

The following errata report has been submitted for RFC8484,
"DNS Queries over HTTPS (DoH)".

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6708

--------------------------------------
Type: Editorial
Reported by: Martin Thomson <mt@lowentropy.net>

Section: 10

Original Text
-------------
The use of Online Certificate
   Status Protocol (OCSP) [RFC6960] servers or Authority Information
   Access (AIA) for Certificate Revocation List (CRL) fetching (see
   Section 4.2.2.1 of [RFC5280]) are examples of how this deadlock can
   happen.

Corrected Text
--------------
The use of Online Certificate Status Protocol (OCSP) [RFC6960] servers, Certificate Revocation List (CRL) distribution points (see Section 4.2.1.13 of [RFC5280]), or Authority Information Access (AIA) to retrieve issuer certificates (see Section 4.2.2.1 of [RFC5280]) are examples of how this deadlock can happen.

Notes
-----
The OCSP part is fine, but the AIA piece is wrong.

For context, there are three different ways (to my knowledge) that a client might make outbound connections in order to validate or build a certification path.

1. CRL - clients fetch CRLs from the designated location.  This rarely happens any more as it is grossly inefficient, but it does still happen in some usages.

2. OCSP - clients query OCSP for the status of a certificate.

3.  AIA chasing - this is where the TLS handshake doesn't include the full set of certificates required to validate the end-entity certificate, but the certificate includes a URL for that certificate.

AIA itself is a multi-purpose field.  It can include multiple elements, one of which is the identity of an OCSP responder (the same one used in (2) above) and the other being the one used in (3).  It does not include CRL distribution points, as the text implies.

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC8484 (draft-ietf-doh-dns-over-https-14)
--------------------------------------
Title               : DNS Queries over HTTPS (DoH)
Publication Date    : October 2018
Author(s)           : P. Hoffman, P. McManus
Category            : PROPOSED STANDARD
Source              : DNS Over HTTPS
Area                : Applications and Real-Time
Stream              : IETF
Verifying Party     : IESG