Re: dane-openpgp 2nd LC resolution

Warren Kumari <warren@kumari.net> Tue, 15 March 2016 03:29 UTC

Return-Path: <warren@kumari.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF02B12D890 for <ietf@ietfa.amsl.com>; Mon, 14 Mar 2016 20:29:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06bAe7wEJQ7d for <ietf@ietfa.amsl.com>; Mon, 14 Mar 2016 20:29:11 -0700 (PDT)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64C2E12D69C for <ietf@ietf.org>; Mon, 14 Mar 2016 20:28:54 -0700 (PDT)
Received: by mail-yw0-x22b.google.com with SMTP id d65so5901245ywb.0 for <ietf@ietf.org>; Mon, 14 Mar 2016 20:28:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aAPkHwPSFl/48H/G8mVHBnuY5bEEVuP8KOpAA7hBH9c=; b=LgTvd9xEbn4jel0G5LsnFROu0yaiCx+5uPZEuUv+Y5JbmVzDsXbp4ura+wf/PfyU25 nrWnhzx2+bu+LmWnmprfTstiLA0IxvBZYteRswyl+7hvKv0BYZyBeBei9W0S685BbZXP rUUC+OgUJUb0Yq7UO7BzwQtCWrPZYKgCk8j9vTBw6ajRjSA2M5/xOuwZf3u7yp4wMVZw l0AlE3/mjfDJB5nbYJHWs4e4VMD+7f0IMjtmearMYy+8qCL1YGxe3HkzTmSJ305uwB29 8Zcqbykj0lA94mjtg7SDbq+afuuP54LCT4EEzVsTc2OuXVvjO8m2ax7oSllwDb8+qihb yvgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aAPkHwPSFl/48H/G8mVHBnuY5bEEVuP8KOpAA7hBH9c=; b=YdWJnDetVV+euuitF248nLQ5mMedvSrF7efXbYPURdYp1Y4JwHxYzEyiV8Lu46SEhG mCHWeTm0TdazIaDpTlDSpGre0l7AY0I8nXSvOrpBD33D2rDE4tcnx7SsR3Xpv3791hA7 0x7L6mDfcfSBFIC2lDE75TjxvO4WGVl8SRJyaaafvKMHm/gGBEhjhs0FvqZ3lJRZQckD DhNsIlT6qPtJR9yBLsbai2/KL98dnssbeCp3cQNYf9I6JXdZLK+een6HDeveq8E2qpXi xxNspf6SX0f5wEel/SNdbdzV7e2eAQmjYlxM2/5nK1T0PEWD7wYf222N2I7xQFmd5rEI LDEQ==
X-Gm-Message-State: AD7BkJL22GLQSn1J/9f+SzHk0JZ1dTTrtpZtSioEVI71OHHpupRGq9Xm8b9N11g5SGbEFP+okkL/Glf+LfW7bwEq
X-Received: by 10.13.214.142 with SMTP id y136mr13583454ywd.105.1458012533596; Mon, 14 Mar 2016 20:28:53 -0700 (PDT)
MIME-Version: 1.0
References: <56DC484F.7010607@cs.tcd.ie> <56E636FD.9050902@dougbarton.us> <alpine.LFD.2.20.1603141916360.830@bofh.nohats.ca> <56E768E6.5090905@dougbarton.us>
In-Reply-To: <56E768E6.5090905@dougbarton.us>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 15 Mar 2016 03:28:43 +0000
Message-ID: <CAHw9_iLrnsWADNSY67-mYXKs=zYcVaM5v7Zqi0+PsWUW+B2CmA@mail.gmail.com>
Subject: Re: dane-openpgp 2nd LC resolution
To: Doug Barton <dougb@dougbarton.us>, Paul Wouters <paul@nohats.ca>
Content-Type: multipart/alternative; boundary=94eb2c0762e6251601052e0dff49
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/W4Lpx93E6wnATijNIHT6COGoF9s>
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2016 03:29:15 -0000

On Tue, Mar 15, 2016 at 9:44 AM Doug Barton <dougb@dougbarton.us> wrote:

> On 03/14/2016 04:18 PM, Paul Wouters wrote:
> > Yes, you are about 1.5 years late. And your arguments are (un)fortunately
> > not new arguments. Since the archive on this draft is rather huge, I can
> > understand that you missed part of this discussion. So for completeness
> > sake, I will answer your questions again.
>
> Thank you for your patience in explaining your reasoning, and again, I'm
> sorry for coming late to the party. And thanks as well for confirming
> that my memory is correct ... at one time I did hear that this topic was
> going in the direction of signatures rather than certs. Unfortunate that
> I didn't follow it closer.
>
>
I just wanted to mention that we have been working on this for a long time,
and there is a definite level of frustration (and some cultural mismatches
/ cross area chalenges), and many people are tired at this point. There
have been a large number of messages on the list related to this document
(and topic), so, following it closely is a challenge.



> Regarding what you said and what your goals are, I think that we are
> pretty far apart. I will send a detailed response to your message on the
> DANE list soon. In all likelihood I will also create a new I-D with my
> ideas specified in more detail.


Yes, please do - I think it would be useful to have a better understanding
/ more detail. I should mention again that at this point many people are
tired and / or frustrated, so we will to work to overcome that.


> Perhaps what is needed is more than one
> experiment. :)
>

Aaaargh! What could possibly go wrong!? :-P

W


> In regards to the current last call, while your explanations do help to
> alleviate a few of my concerns, in large part I am still not
> enthusiastic about this version of the draft proceeding.
>
> In particular I think the concern about these RRs being used for DDOS
> amplification remains. There is no mechanism in place currently in any
> name server software that I am aware of to limit responses to queries in
> the manner you describe (only send answers if the query comes over TCP
> or with DNS-Cookies). Further, I don't see that happening any time soon.
>
> Close behind that concern, the larger IETF community (or at least some
> very vocal segments of it) have serious concerns about this type of
> opportunistic encryption happening at all, or in my case, without user
> input. They (and to some extent I) remain unconvinced that your
> assertion that this type of opportunistic encryption is always better
> than the current state. Personally, I need to think more about that, but
> at least in the early stages of an experiment in tying PGP keys to DNS
> RRs, I'm definitely opposed.
>
> FWIW,
>
> Doug
>
>