IETF Logo Mail Archive

Re: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard

Edward Lewis <edward.lewis@icann.org> Wed, 15 July 2015 18:04 UTC

Return-Path: <edward.lewis@icann.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9602D1AD060; Wed, 15 Jul 2015 11:04:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.431
X-Spam-Level:
X-Spam-Status: No, score=-3.431 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yLbg8XeWFDKv; Wed, 15 Jul 2015 11:04:05 -0700 (PDT)
Received: from out.west.pexch112.icann.org (pfe112-ca-1.pexch112.icann.org [64.78.40.7]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB9351ACE97; Wed, 15 Jul 2015 11:04:05 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Wed, 15 Jul 2015 11:04:03 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1044.021; Wed, 15 Jul 2015 11:04:03 -0700
From: Edward Lewis <edward.lewis@icann.org>
To: Ted Lemon <ted.lemon@nominum.com>, "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard
Thread-Topic: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard
Thread-Index: AQHQvmrz3HvFHNRIO06SM+I8NqN9Up3crNMAgACPjgD//8pQgA==
Date: Wed, 15 Jul 2015 18:04:02 +0000
Message-ID: <D1CC11CA.D086%edward.lewis@icann.org>
References: <20150714192438.1138.96059.idtracker@ietfa.amsl.com> <D1CBC489.D039%edward.lewis@icann.org> <55A69556.9020207@nominum.com>
In-Reply-To: <55A69556.9020207@nominum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.3.150624
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3519813837_18967352"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/fJsD70wguIV0dR_Ndq4N3Oia6vE>
X-Mailman-Approved-At: Wed, 15 Jul 2015 14:55:08 -0700
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2015 18:04:07 -0000


On 7/15/15, 13:16, "DNSOP on behalf of Ted Lemon" <dnsop-bounces@ietf.org
on behalf of ted.lemon@nominum.com> wrote:

>On 07/15/2015 05:42 AM, Edward Lewis wrote:
>
>No, it's not independent, because .onion sites won't be able to get PKI
>certs if we don't do the allocation.

That's what I meant by "(to some extent)".  If not being able to get the
certs kills Tor, then failing to get some special designation would be a
show stopper.  But that isn't in the document (and you'll see I keep
coming back to the document's content).

>We discussed this at length in the working group

The discussion in the WG is not reflected in the document.

>It is clearly understood that TOR is effectively an SDO
>that has defined a standard using their own system of publication and
>their own standardization methodology, which is different than the
>IETF's methodology for very good reasons. Requiring another SDO to
>follow IETF process in order to get an allocation of this type doesn't
>make sense and isn't required by the governing standard.

Until I read this, I wasn't aware that Tor (TOR?) was even an organized
thing.  I don't follow what you mean by requiring another "standards
development organization" to follow the IETF process.  I thought that for
Tor to get certificates from CA/B forum members there was a need to have
"onion" be a specially designated identifier and that the IETF's Special
Use Domain Names registry seems like an apt approach.

>Are you claiming that there is not widespread deployment of TOR? There
>was no controversy in the working group on this question: nobody there
>claimed that TOR wasn't sufficiently widely deployed to justify
>allocation.

To answer your question, no.  I'm not making a claim about its deployment.
 OTOH, I have never seen any first hand evidence of it (I do live in a
cave perhaps).  None of my friends, family, etc., seem to know about and
so on.  But that doesn't matter - the document, as it stands, does not
give any indication that there is a widespread deployment of it.  I.e.,
I'm challenging the document preparers to include text that gives some
estimation of the scale of deployment.  Document it.

>I think this is a reasonable position to take, with one exception. I
>think it's fine for the document to make recommendations about what name
>servers and the root should do, but it's not our place to make
>requirements, nor do I think it's necessary.   However, it would be very
>beneficial for host implementations to special case .onion, as some
>hosts do for .local now.   When hosts fail to apply appropriate special
>case handling for .local, it creates operational annoyances, to no
>benefit.   In the case of .onion, it creates a privacy problem.   So I
>don't mind this text as much as you do, but I do wonder if we'll
>actually see widespread implementation of such requirements.

I didn't see the exception you had in mind.  From what little I apparently
understand about Tor/onion, applications need to behave in a way that
enhances privacy and it would be cool if DNS servers weren't configured to
return conflicting data.  The DNS protocol doesn't need to be changed,
much like .local isn't special to a general purpose DNS server despite
behaving in a certain fashion in a host.

>>Ed: I'm agreeing with Ted in that this application is insufficient.
>
>Whoa there, cowboy!   I didn't say it was insufficient.

http://www.ietf.org/mail-archive/web/ietf/current/msg93849.html

That "Ted".

>And also, please don't call it an application.   It is an internet
>draft, which has passed working group last call, and is in IETF last
>call.   An application would be something that would be handled by the
>IESG, through the instrumentality of the IANA.

Ted called it a "request."  (Just sayin'.)

Keep in mind - I'm saying the document, the internet-draft, doesn't
contain all that it could or should to be a convincing use case.  Perhaps
it ticked off all the check boxes of RFC 6761, but I think it lacks what
it needs to be convincing as well as stand the test of time.

v2.23.0 | Report a Bug | By Email