Re: snarls in real life

Michael Thomas <> Wed, 21 April 2021 17:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5A6133A3189 for <>; Wed, 21 Apr 2021 10:50:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.751
X-Spam-Status: No, score=-1.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id txcN7EeQm0fZ for <>; Wed, 21 Apr 2021 10:50:05 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5E7B03A3156 for <>; Wed, 21 Apr 2021 10:50:01 -0700 (PDT)
Received: by with SMTP id z16so30596566pga.1 for <>; Wed, 21 Apr 2021 10:50:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=fluffulence; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=2IQowBzkibJL+8wvfQkec65hJOC+mD3mNi9pLm7DcVA=; b=OhholJA8aEENsmYV1ZRxtCiuGkWMbp0tIYDLTLrpslEmzrHyiQqiurYveqqr9B0ZdK 1u7fsnXWBCiK+e6ttfo2zueQ+xncgAUOjoD1m1Ritzth2250WeK1HPO0IN2udvzeZ4Zz RHXw+6Krl0KBjEOhWXJDFsrpvGU4xHN8IJOQxd+de7eBrcm4VOqghjYSMQtWKWBLnfDA ooQ9VUGzp9sJzK9/FwRhINx1Tfo7/wCZF28MnoA5nkMQEp1WFxieti+dOzoE4F6znBHx zeJatrBCIIV5nvamHpr8JFyxDZu2DVHBu4XWohRx3xiSDOo6ZuIZUKNuE96rDyoKXdte kUqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=2IQowBzkibJL+8wvfQkec65hJOC+mD3mNi9pLm7DcVA=; b=q0hwKtzJ+yt7drABkgKL/0oSCjNICmtkeiagvt9Ua4sU+lFPCpAMgHElqZLr2tKVV0 erzApdVSvtbHI9PH8SvzntIB7Jd+J+dZ9bbKUdj7x21Q2daB562obab3gXvAnYwzYB+i 6NxPe6zv5RdoB16mQIyThIRNSUZCTpFXK5l5TGLA2rdFF+gRAlhx7jJCJe3dBjUZEH6u 3aGjqYAZbjVEjmGRLPVPel0SUtOQzsbhCg76tZuj3JWw9XyW5cBKGxYqcN+uUHZfHV1d bLgiOcp5DmrnYnMCclbIh9DePdysJW0V3bbWknAlfvzIl3FBvQq8OgL8RwVQ0EEjUOuE ndJQ==
X-Gm-Message-State: AOAM531/6Zc1E1eM+Vv8a3xA8+J4TalxhWEI3DS7lg24X/fMJFcT6lX+ CsiaKntcZMnYqNXHq3ocJLngmAf2XV/wjg==
X-Google-Smtp-Source: ABdhPJz/fVheCZgENFt1aZhOKlVEiv0smmPPkCsas2R4sEL3BsnUtta1VhlI/bJZATbNy1rgF34R4w==
X-Received: by 2002:a17:90a:b001:: with SMTP id x1mr13257704pjq.122.1619027398781; Wed, 21 Apr 2021 10:49:58 -0700 (PDT)
Received: from mike-mac.lan ( []) by with ESMTPSA id ir3sm2658356pjb.42.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 21 Apr 2021 10:49:58 -0700 (PDT)
Subject: Re: snarls in real life
To: Christian Huitema <>,
References: <> <> <> <>
From: Michael Thomas <>
Message-ID: <>
Date: Wed, 21 Apr 2021 10:49:56 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Apr 2021 17:50:14 -0000

On 4/21/21 10:08 AM, Christian Huitema wrote:
> On 4/21/2021 9:31 AM, Michael Thomas wrote:
>> Chrome already did the DANE work once upon a time so DNSSec is the 
>> only missing piece. But the very thought that the number of packets 
>> exchanged in a transport protocol's setup is *off topic* within 24 
>> hours and a few messages back and forth speaks miles about how broken 
>> many working groups are and why nobody wants to participate.
> My takeaway from these exchanges is a bit different. You are 
> advocating for using Dane instead of PKI during the authentication 
> exchange, because this leads to fewer packets. People provided three 
> different counter arguments. The first argument was that in first 
> order, performance is measured by the number of round-trips, not the 
> number of packets, and that using Dane instead of PKI would not result 
> in big performance gains in practice. The second argument was that the 
> full authentication exchange is only used in a small fraction of 
> connections. The other exchanges use session resumption, and in that 
> case there is no difference between Dane and PKI. The third argument 
> was that there is no specific work to do in the QUIC working group on 
> this topic, since QUIC relies on TLS 1.3 for authentication and TLS 
> 1.3 already supports Dane. Using Dane instead of PKI is a deployment 
> issue, not a protocol development issue, and there is no concrete work 
> for the QUIC WG.
The meta question is whether that is so off topic that it needs to be 
officially shut down with the working group chairs. The technical merits 
are what they are. What I was told in no uncertain terms is that I am 
not allowed to even ask the question. Is that appropriate?