Re: snarls in real life

Keith Moore <> Wed, 21 April 2021 17:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2A2C33A314B for <>; Wed, 21 Apr 2021 10:59:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oHb4VCL3sES5 for <>; Wed, 21 Apr 2021 10:59:16 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 939453A0CBD for <>; Wed, 21 Apr 2021 10:59:13 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal []) by mailout.west.internal (Postfix) with ESMTP id 1328A1F2F for <>; Wed, 21 Apr 2021 13:59:11 -0400 (EDT)
Received: from mailfrontend1 ([]) by compute4.internal (MEProxy); Wed, 21 Apr 2021 13:59:11 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=vqzyrT dWbOWeuaiu5FDwHJuzPZvU75aesq1kCrRf7JI=; b=q/++hunhHsTW6+VcC36LqU XS21qxuaSepWzE2WDzrfaKnrfDi5idlwX5zz3qtHJDzK12r5wSKDSWoDf3K45R4I KFGCHNCpzd1n9z3QcI0evrKecBUbkxWPdBVu7vds5Ji/2OVaR126zITMDiPLja6F jtVpOHzE+twds5qWJM53Cmx5+l6RGpjc6OFG0cYNvqeLN0U0BEfJJISMtyTMajB4 qd4N7KLzY5J6gwdScRmw9rYDW+40PYbbO28TzUOggAIWgx6qJRDntxb8V+BB3L7R DMxpJpF0mKztXloHTQkpOCaxlOeaSschRwCsiv0jZfi/yEXI2/92XHBX67sBkuPQ ==
X-ME-Sender: <xms:7meAYG05WKTOgV8uxn-Gzp1WVj9iFSz5fohKKwR6XGqCC3J4hRGy-w> <xme:7meAYCsUOY9pTj-5PijybJSk1h34elyaNhlxIzMoJNVEtwEkEt2t3GxxueV-1E0jV bSuhB9XM8PdxA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvddtkedguddvudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepuffvfhfhkffffgggjggtsegrtd erredtfeejnecuhfhrohhmpefmvghithhhucfoohhorhgvuceomhhoohhrvgesnhgvthif ohhrkhdqhhgvrhgvthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpeevfeetudeige dtledvvddtudefjeejffdvfeetjeeiueelgfdtgfegtdffkeetudenucfkphepjeefrddu udefrdduieelrdeiudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpehmohhorhgvsehnvghtfihorhhkqdhhvghrvghtihgtshdrtghomh
X-ME-Proxy: <xmx:7meAYO4v4tZdEkjoAS-3FIUNvmWwGZ-fXviWU1Gv47VCza1HuS-3Dw> <xmx:7meAYLJERH15Prt7fpNF9X5E-bvEfucWRfWVhDBXIy5RvA-jjOu0Mw> <xmx:7meAYG6vq0TFQ6MrixSWJnl5bdeoZ2aajI_IIKPSzkRlvfpY7er7DQ> <xmx:7meAYASSmXeYqjuaRci0KnVtlMA-qpwDtcehpVHOqN7LHa5UW7hzTw>
Received: from [] ( []) by (Postfix) with ESMTPA id 7660624005C for <>; Wed, 21 Apr 2021 13:59:10 -0400 (EDT)
Subject: Re: snarls in real life
References: <> <> <> <> <>
From: Keith Moore <>
Message-ID: <>
Date: Wed, 21 Apr 2021 13:59:10 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------AC2D1F58C63CF266AD52A568"
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Apr 2021 17:59:21 -0000

On 4/21/21 1:49 PM, Michael Thomas wrote:

>> My takeaway from these exchanges is a bit different. You are 
>> advocating for using Dane instead of PKI during the authentication 
>> exchange, because this leads to fewer packets. People provided three 
>> different counter arguments. The first argument was that in first 
>> order, performance is measured by the number of round-trips, not the 
>> number of packets, and that using Dane instead of PKI would not 
>> result in big performance gains in practice. The second argument was 
>> that the full authentication exchange is only used in a small 
>> fraction of connections. The other exchanges use session resumption, 
>> and in that case there is no difference between Dane and PKI. The 
>> third argument was that there is no specific work to do in the QUIC 
>> working group on this topic, since QUIC relies on TLS 1.3 for 
>> authentication and TLS 1.3 already supports Dane. Using Dane instead 
>> of PKI is a deployment issue, not a protocol development issue, and 
>> there is no concrete work for the QUIC WG.
> The meta question is whether that is so off topic that it needs to be 
> officially shut down with the working group chairs. The technical 
> merits are what they are. What I was told in no uncertain terms is 
> that I am not allowed to even ask the question. Is that appropriate? 

Why are you asking us, when it's really the responsible ADs' job to 
determine the answer to that question?     There's not one right generic 
answer to that kind of question.   The answer to that question requires 
evaluating the technical merits of the idea with respect to the WG's 
charter, which is a lot of work for anyone who isn't already "in the 
loop" to evaluate.