IETF Logo Mail Archive

Re: Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard

Alec Muffett <alecm@fb.com> Wed, 12 August 2015 17:09 UTC

Return-Path: <prvs=5666b58215=alecm@fb.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 310E01A9061 for <ietf@ietfa.amsl.com>; Wed, 12 Aug 2015 10:09:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.367
X-Spam-Level:
X-Spam-Status: No, score=-2.367 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LiZN_HHvfYt2 for <ietf@ietfa.amsl.com>; Wed, 12 Aug 2015 10:09:12 -0700 (PDT)
Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C39AC1A909D for <ietf@ietf.org>; Wed, 12 Aug 2015 10:09:11 -0700 (PDT)
Received: from pps.filterd (m0004060 [127.0.0.1]) by mx0b-00082601.pphosted.com (8.14.5/8.14.5) with SMTP id t7CH8ajS024551; Wed, 12 Aug 2015 10:09:07 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=G5HeG3+tLmL84o2dCoI3K0duG5uTKEMtDon/Ct7ZFZs=; b=P2qGikw+w65EWII/1m9tx5p36/UF71hYbvHpu4nmvaOHJjPZBdxb23COKIZ9kTYVdCC7 yagKHKfjWTVhoC+BZP+bblf5VDgAx4jyjVOzoJJKyD6LAS7P6paFIv9skzUpWR0Mvwg0 vAxn98GDtSUnyj1xxWRkARG6bOfupL5dk40=
Received: from mail.thefacebook.com ([199.201.64.23]) by mx0b-00082601.pphosted.com with ESMTP id 1w89ye03gy-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 12 Aug 2015 10:09:07 -0700
Received: from PRN-MBX02-4.TheFacebook.com ([169.254.2.114]) by PRN-CHUB03.TheFacebook.com ([fe80::fd64:bd05:4514:bbad%12]) with mapi id 14.03.0195.001; Wed, 12 Aug 2015 10:09:05 -0700
From: Alec Muffett <alecm@fb.com>
To: Ted Hardie <ted.ietf@gmail.com>
Subject: Re: Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard
Thread-Topic: Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard
Thread-Index: AQHQ1Hs3RjvWibFSx02Yb/KcU/cg4p4H3y4AgAAVvoCAADOXAIAAwlqAgAAksoA=
Date: Wed, 12 Aug 2015 17:09:04 +0000
Message-ID: <F9866E8A-5A95-4FC6-82FA-119101C7544C@fb.com>
References: <20150714192438.1138.96059.idtracker@ietfa.amsl.com> <20150811211733.GG23964@x28.adm.denic.de> <46616F08-3CD4-448E-8638-95CFDA1C6D0F@fb.com> <CA+9kkMDwB9kSoqSuR3MdAgg6j2Kqip7R61GhiDiwFuWrjVGhtA@mail.gmail.com> <F5B862B9-10E4-4131-A675-9EC16FC50036@fb.com> <CA+9kkMBaPK+N1pEAVsYYMD-Fj+PxZKF-vBTk7ETJmBGx45A23w@mail.gmail.com>
In-Reply-To: <CA+9kkMBaPK+N1pEAVsYYMD-Fj+PxZKF-vBTk7ETJmBGx45A23w@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.52.123]
Content-Type: multipart/signed; boundary="Apple-Mail=_A3711A31-8E05-46B6-BCCD-15E96191ABDC"; protocol="application/pgp-signature"; micalg="pgp-sha512"
MIME-Version: 1.0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-08-12_09:2015-08-12,2015-08-12,1970-01-01 signatures=0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/BwWpWqrVwnfU4HPoXn78sihytRU>
Cc: Peter Koch <pk@denic.de>, Mark Nottingham <mnot@mnot.net>, Jacob Appelbaum <jacob@appelbaum.net>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2015 17:09:14 -0000

Hi again, Ted!

> On Tue, Aug 11, 2015 at 8:22 PM, Alec Muffett <alecm@fb.com> wrote:
> 
> Given the “special” - as in “special name” - nature of Tor, it seems likely that all intentional use of it will be "opt-in" by via software that is capable of dealing with its addressing scheme and any URIs associated with it.
> 
> ​This is where we have an apparently philosophical ​difference, and, where, I think the failure of the registry document is most evident.  I believe that the category of software that will have to deal with this special use name is much broader than the opt-in Tor software, and I think that's what's contemplated in the paragraph I quoted above ("that apply universally regardless of what network the implementation may be connected to").  If Tor operated in a vacuum, it would not need this registration; it does not, and does.


Tor Onion Addressing does not operate in a vacuum - you are quite correct - it seeks to use properly TCP-like circuits, HTML, CMS, HTTP, and now HTTPS; the latter is perhaps the first technology where the technology has become (to some extent) hard-coded to the presumptions of Internet communication, in that SSL certificates are required, the authorities for those certificates have been issuing them against DNS names; but now, through CA/B-Forum’s Ballot 144:

https://cabforum.org/2015/02/18/ballot-144-validation-rules-dot-onion-names/

…CA/B-Forum are permitting CAs to issue certificates against “.onion” addresses.  For this to continue requires a step-up to IETF that “.onion” be reserved as a global namespace, upon which DNS need not tread. This is an achievable situation.

In the spirit of “good fences make good neighbours”, one of the most important aspects of interoperability is one of boundaries, and registration of “.onion” in the way proposed will clearly define the boundaries between DNS and an extant network of users which is not dependent upon DNS and which will not go away, but might be worked with-and-around.


> Equally, any software not capable of dealing it, which stumbles across a “long” label or somesuch, should treat it as much as it should properly treat (ignore?) any URI which it is incapable of dealing with. e.g.: the fact that I insert a link such as the following in this e-mail, should not crash your browser:
> 
> http://a234567890123456789012345678901234567890123456789012345678901234567890.onion/hello
> 
> If you are still reading this e-mail, your browser or mailer survived that illegally-long-yet-parsable label.
> 
> ​
> It did, but truncated what it thought was a URI, so ​it represents a failure.


…and I will bet that if you had clicked on it, and if it hadn’t been “truncated”, you would next have an issue that you would not have received any data because you are not using Tor.  That would be because you were not using Tor software.

Under such circumstances that would be an acceptable failure, I think.

See the annotation cited in this blogpost for a similar example:

https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237

[…phiilosophical deletia…]



>> Regarding label length, I find it really interesting to note that the Tor draft discussion document for future onion addresses / hidden services cites examples thusly:
>> 
>> https://gitweb.torproject.org/torspec.git/tree/proposals/224-rend-spec-ng.txt
>>>    And a new name following this specification might look like:
>>>         a1uik0w1gmfq3i5ievxdm9ceu27e88g6o7pe0rffdw9jmntwkdsd.onion
>> 
>> …where the longest label is *53* characters long, still well within the bounds of DNS legality (63) and yet leaving 10 characters grace for padding hyphens, or something. But for some reason we are still arguing about future speculation and what “might” happen.  Honestly, I wonder why *that* is?
>> 
> 
> ​Because the registry assumed that the IETF had change control for special use names that involved non-DNS​ resolutions.   Clearly it does not for .onion, so we are working out what to do in real time, rather than simply following a well trodden path.
[...]

> ​Good faith don't grow Christmas trees, in the words of my grandfather.  My frank assessment is that if the Tor community can commit in good faith to follow the DNS constraints for its identifiers (don't step on IDN rules, follow the length guidelines, etc.), the ​IETF should register .onion and then immediately close the registry for repairs and refactoring.
> 
> But that's just my own opinion,


Your grandfather spoke wise words.  Nick Mathewson is the engineer who leads Tor development on Onion services.  He writes thusly on this matter:

https://lists.torproject.org/pipermail/tor-dev/2015-August/009275.html

How will that fly with you?

    -a

v2.23.0 | Report a Bug | By Email