Re: [eppext] Stephen Farrell's Discuss on draft-ietf-eppext-keyrelay-11: (with DISCUSS and COMMENT)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 17 December 2015 14:33 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: eppext@ietfa.amsl.com
Delivered-To: eppext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F21BA1B2E36; Thu, 17 Dec 2015 06:33:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O2OilIjvxD4P; Thu, 17 Dec 2015 06:33:45 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C2301B2E2C; Thu, 17 Dec 2015 06:33:45 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 3CB91BE2C; Thu, 17 Dec 2015 14:33:44 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w01G6F3yEZF7; Thu, 17 Dec 2015 14:33:37 +0000 (GMT)
Received: from [10.87.48.95] (unknown [86.46.31.96]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id EB4F3BE8E; Thu, 17 Dec 2015 14:33:36 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1450362817; bh=u/Uxs2k40B5GyGZcmygiH+ot9W9jaSb8k0B6Jdv0xwI=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=fk9frP52u90OAIBjXgR7ZVME4/Gu1Gic+XO03YnzjvK8vN9uFYwoMMU3uNcm1RRfM tIXtC0upnUomvkt/6BOLpnAZzSkAUFYYEygWM7i+8Ha6oojLv6HwFAm/yo0wewPMqR 1zwWJkGrfmmb34f0gbYZB4Q7RensObxjNzn+0ohs=
To: Rik Ribbers <rik.ribbers@sidn.nl>
References: <20151215114126.29062.93034.idtracker@ietfa.amsl.com> <94ACD476-6EF9-4531-8F98-00409A6C26E6@sidn.nl>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <5672C7C0.70104@cs.tcd.ie>
Date: Thu, 17 Dec 2015 14:33:36 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <94ACD476-6EF9-4531-8F98-00409A6C26E6@sidn.nl>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/eppext/7pOXERjS0yQQ-uHu3ph8CCNwNik>
Cc: "draft-ietf-eppext-keyrelay@ietf.org" <draft-ietf-eppext-keyrelay@ietf.org>, "eppext-chairs@ietf.org" <eppext-chairs@ietf.org>, Ulrich Wisser <ulrich@wisser.se>, eppext <eppext@ietf.org>, Marc Groeneweg <Marc.Groeneweg@sidn.nl>, The IESG <iesg@ietf.org>
Subject: Re: [eppext] Stephen Farrell's Discuss on draft-ietf-eppext-keyrelay-11: (with DISCUSS and COMMENT)
X-BeenThere: eppext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: EPPEXT <eppext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/eppext>, <mailto:eppext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/eppext/>
List-Post: <mailto:eppext@ietf.org>
List-Help: <mailto:eppext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/eppext>, <mailto:eppext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 14:33:49 -0000

Hiya,

On 15/12/15 20:10, Rik Ribbers wrote:
> Hello Stephen,
> 
> My comment are inline.
> 
> Gr,
> Rik 
> 
>> On 15 Dec 2015, at 12:41, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>>
>> Stephen Farrell has entered the following ballot position for
>> draft-ietf-eppext-keyrelay-11: Discuss
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-eppext-keyrelay/
>>
>>
>>
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>>
>>
>> (1) The IPR declaration says that license terms will be available
>> "later." As things stand, I don't understand how the WG can have
>> made an informed decision in that case. I looked at the archive
>> and saw essentially no discussion, other than the announcement. I
>> also looked at the application and it's not crystal clear to me at
>> least that none of the claims are relevant. The shepherd write-up
>> also doesn't help me, but of course there may have been discussion
>> in a f2f meeting that is documented in minutes or something - I've
>> not checked for such, or I may have missed out on some list
>> traffic. Anyway, the DISCUSS is to ask did I miss stuff and if not
>> how can WG participants have rationally considered an IPR
>> declaration if the licensing information will only arrive "later"
>> after the document is approved to become an RFC?  (Note: If I am
>> explicitly told that this was considered and participants were ok
>> with the declaration even as-is, then I'll clear.) 
>>
> 
> I’ll wait for Scott Hollenbeck to update the IPR text. see https://mailarchive.ietf.org/arch/msg/eppext/h53yrXvbugHt9gCefOaUnJ62Ghg <https://mailarchive.ietf.org/arch/msg/eppext/h53yrXvbugHt9gCefOaUnJ62Ghg> 

Right, this seems to be in-work which is fine.

>> (2) So I can see at least two ways in which this kind of thing can
>> be done and you don't clearly say which this supports. Option (a)
>> would be for the gaining DNS operator to provide new public keys
>> to the losing operator for inclusion before a transfer so that
>> continuity is maintained during the transfer. Option (b) would be
>> where the KSK private material is not known by either
>> operator, but e.g. by the registrant. In the case of option (b)
>> the DNSKEY would be transferred from the losing to the gaining DNS
>> operator. (And the arrow in Figure 1 would be in the other
>> direction.) I think you need to be clear about which of these
>> cases is actually being supported and about the overall sequence
>> of events needed. (If you tell me that you really want to do
>> whatever is in draft-koch, then that's fine but then this draft is
>> probably premature and draft-koch would need to be a normative
>> ref.)
>>
> 
> It is intended for option (a). The information transferred is the new DS-record or the new public keys depending on the server policy. See also more comments below.

Ok, so it's option (a) which is fine. But don't you need to
say that in the document? I initially assumed you were doing
(b) which lead to a confusing read. I'd suggest adding a bit
of text like this near the start:

"This specification describes a way to use EPP to allow a
gaining DNS operator to send new public keys to a losing
DNS operator. Having those new keys signed in the DNS before
transitioning to the gaining DNS operator means there need
not be any gap in service when new private keys (at the gaining
DNS operator) are used to sign DNS records. While there are
other ways of managing keys during transitions, only this
method is described in this specification."

Cheers,
S.


>>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>>
>> - I think I'm missing an overview of EPP here. The intro could
>> maybe do with a short para, and/or a pointer to something general.
>> (Ah, I get it in section 3 - the ref to 5730 might be better in
>> the intro.)
>>
> 
> RFC5730 is also mentioned in the abstract. 
> 
>> - general: I think it'd be better to talk about public key values
>> and not "key material" as the latter is often used to describe
>> secret/private values which aren't at issue here. (Or else
>> I'm mis-reading stuff:-)
>>
> 
> See comment above; We chose the term DNSSEC key material after quite some discussion between the authors because you either talk about the DS-record or the public key.
> Having re-read Section 2.1 on DNSSEC key material I see the reference to RFC5910 (DNSSEC provisioning through EPP) is actually incorrect (and might lead to your mis-read) . Currently it references section 4.2 This should be section 4 as the difference between DS-data an key data is explained in the introduction of section 4. I have updated the reference to section 4 in the working copy of the document.
> 
>> - nit, p8: s/previously send/previously sent/
> 
> Fixed in the working copy of the draft.
> 
>>
>> - Section 6: I'm surprised that you don't recommend or even note
>> that the gaining registrar/dns operator should be able to check
>> that the DNSKEY value it sees in XML is or is not the same as one
>> that is published in the DNS and verifiable there. Wouldn't that
>> kind of cross check be useful?
>>
> 
> I agree that this is useful; proposed wording:
> 
> A client that uses this mechanism to send DNSSEC key material to another client COULD verify through DNS that the DNSSEC key material is added to the authoritative zone of the domain.
> 
> Please let me know what you think of this proposed wording.
> 
>