IETF Logo Mail Archive

Re: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard

joel jaeggli <joelja@bogus.com> Fri, 17 July 2015 13:53 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 638111B33FD; Fri, 17 Jul 2015 06:53:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.367
X-Spam-Level:
X-Spam-Status: No, score=-0.367 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_06_12=1.543, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Cn7nW62Tyol; Fri, 17 Jul 2015 06:53:19 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C3101B33F9; Fri, 17 Jul 2015 06:53:19 -0700 (PDT)
Received: from dhcp-8939.meeting.ietf.org ([IPv6:2001:67c:370:136:a01e:605f:9dd3:47b]) (authenticated bits=0) by nagasaki.bogus.com (8.14.9/8.14.9) with ESMTP id t6HDrEQA091796 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 17 Jul 2015 13:53:16 GMT (envelope-from joelja@bogus.com)
Subject: Re: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard
To: Richard Barnes <rlb@ipv.sx>, Joe Hildebrand <hildjj@cursive.net>
References: <20150714192438.1138.96059.idtracker@ietfa.amsl.com> <CA+9kkMAz1ogcpWAdKaKTRm9f8sV4RO+TKu6aYB717D7+eM0bmw@mail.gmail.com> <20150714205019.GA20641@sources.org> <93AA7CD2-DFC0-419C-9103-F39AA711BD79@virtualized.org> <CF44E5A4-B5CC-4D7A-BAD8-D2989AAC96BE@cursive.net> <CAL02cgTf0hzeTiranKeUheMnUG9HjR897FwKAfPoufiFj=UW3g@mail.gmail.com>
From: joel jaeggli <joelja@bogus.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <55A86F13.2080502@bogus.com>
Date: Thu, 16 Jul 2015 19:57:23 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.0
MIME-Version: 1.0
In-Reply-To: <CAL02cgTf0hzeTiranKeUheMnUG9HjR897FwKAfPoufiFj=UW3g@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="fVeakmMJU4gCdHqNXxoMVvR1OIVAVWW00"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/N9nJkZxru3LVeWPPdovUziYp3Ks>
Cc: dnsop <dnsop@ietf.org>, IETF <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2015 13:53:20 -0000

On 7/16/15 9:04 AM, Richard Barnes wrote:
> On Thu, Jul 16, 2015 at 12:44 AM, Joe Hildebrand <hildjj@cursive.net> wrote:
>> On 15 Jul 2015, at 5:37, David Conrad wrote:
>>
>>> I try to be pragmatic. Given I do not believe that refusing to put ONION
>>> in the special names registry will stop the use of .ONION, the size of the
>>> installed base of TOR implementations, and the implications of the use of
>>> that string in certificates, I supporting moving ONION to the special names
>>> registry.  I really (really) wish there was more concrete, objective metrics
>>> (e.g., size of installed base or some such), but my gut feeling is that TOR
>>> is pretty well deployed and given the CAB Forum stuff, I see no particular
>>> reason to delay (after all, it's not like the deployed base of TOR is likely
>>> to get smaller).
>>
>>
>> I don't see any mention of the CAB Forum stuff in the draft.  Has anyone
>> done the analysis to see if CAB Forum members really will issue certs to
>> .onion addresses if we do this?  Do they issue certs for .example or .local
>> today?
> 
> There are at least a few CAs issuing for .onion right now, under the
> exceptions that are going to expire in a few months.  So I assume that
> these CAs will be interested in issuing if policy allows.
> 
> My understanding is that the basic requirement that CABF has is that a
> name either be clearly a valid DNS name or clearly *not* a valid DNS
> name.  (And in either case, that the applicant be able to demonstrate
> control.)  Right now, that's ambiguous.  Adding .onion to the RFC 6761
> registry would remove the ambiguity, since it would officially mark
> names under .onion as not DNS names.

I won't presume that we can tell the CAB Forum folks what they can do.

They've stated what they intend to do and it seems likely that the will
carry through with that.

https://cabforum.org/2015/02/18/ballot-144-validation-rules-dot-onion-names/

> --Ricahrd
> 
> 
> 
>> If certificate issuance is one of the key drivers for this work, there needs
>> to be information in the draft that shows that this approach will work.

I think there's a certain amount of moral hazard associated with being
extremely concerned about the conisderations arising from that. it may
be the case that they have a deadline, whether it gets added to the
registry or not should come down to the merit of the request and it's
congruence with how we run that registry.

>> --
>> Joe Hildebrand
>>
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email