IETF Logo Mail Archive

Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 05 March 2015 06:45 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10B601A1A8C for <ietf@ietfa.amsl.com>; Wed, 4 Mar 2015 22:45:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1EXhCLRuZQxL for <ietf@ietfa.amsl.com>; Wed, 4 Mar 2015 22:45:15 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39FBA1A1A43 for <ietf@ietf.org>; Wed, 4 Mar 2015 22:45:15 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id F1DF3282FCC; Thu, 5 Mar 2015 06:45:13 +0000 (UTC)
Date: Thu, 05 Mar 2015 06:45:13 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: Pete Resnick <presnick@qti.qualcomm.com>
Subject: Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard
Message-ID: <20150305064513.GH1260@mournblade.imrryr.org>
References: <tsl8ufoh9ko.fsf@mit.edu> <2DF7230C-D1D8-4B21-9003-B336108A38CB@vpnc.org> <20150224172649.GX1260@mournblade.imrryr.org> <tslvbircj0d.fsf@mit.edu> <0325DF3F-17F3-4400-BDEA-EDB5334BF35C@frobbit.se> <20150225180227.GT1260@mournblade.imrryr.org> <7AB921D35A7F9B23A53BD11A@JcK-HP8200.jck.com> <tslvbip8io6.fsf@mit.edu> <54F09A35.9060506@qti.qualcomm.com> <54F78650.6070503@qti.qualcomm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <54F78650.6070503@qti.qualcomm.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/4fUJozIV5CKvcxxR15K-fHIsfXw>
X-Mailman-Approved-At: Thu, 05 Mar 2015 08:07:50 -0800
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, ietf@ietf.org, F?ltstr?m Patrik <paf@frobbit.se>, Mark Nottingham <mnot@mnot.net>, John C Klensin <john-ietf@jck.com>, Sam Hartman <hartmans-ietf@mit.edu>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 06:45:17 -0000

On Wed, Mar 04, 2015 at 04:25:20PM -0600, Pete Resnick wrote:

> >I'm going to ask Patrik to publish a revised ID at this point, which I
> >expect to see in the next couple of days.
> 
> The new version of the document (-12) is out, announcement attached. It is
> now Informational, it removes the discussion of flag "D" for NAPTR, and adds
> a bit of discussion to security considerations. I would appreciate folks
> giving it a sniff and making sure it addresses your earlier concerns. If so,
> I'll go ahead and ballot it for the 12-March IESG telechat.

I think this still fails to acknowledge Sam Hartman's concerns
about the change in the security model from (often with TLS)
application configured trust anchors that may be specific to the
expected peer, to likely the ICANN DNSSEC root trust-anchor, or
perhaps an enterprise DNS trust-anchor for an internal domain.

While such a change in the trust model may well be applicable,
there remains in the draft a claim that indirection through DNSSEC
is fundamentally not different from indirection through a TLS
authenticated HTTP redirect.  That claim is likely too bold.  Future
users of this RR need to consider the issues more carefully.

* DNSSEC is often stronger than today's Web PKI DV certs.

* However, with the traditional PKI it is far easier to
  not trust any of the usual suspects and built direct
  peer to peer trust.

* With DNSSEC the most specific one can be is in some cases have
  a local trust-anchor for the zone apex of the service domain,
  ( I'm involved in an internal DNSSEC deployment with some secure
  internal zones with explicit local trust-anchor settings. )

* More broadly however there's just the ICANN root, and perhaps
  some day the ability to use RFC 5011 to track zsk rollovers 
  of any TLDs that commit to implement the requisite key management
  discipline.  Going beyond that to bilateral trust-anchors between
  business partner organizations is rather exotic.

* All the while various non-browser B2B applications employ explicit
  destination-specific trust-anchors that perhaps should not be
  subordinate to the ICANN root or gTLDs.

So various problem spaces are better served by the Web PKI, DNSSEC
PKI or just bilaterally managed trust anchors, and these are not
simply interchangeable.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email