IETF Logo Mail Archive

Re: Quic: the elephant in the room

Michael Thomas <mike@mtcc.com> Sun, 11 April 2021 19:34 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8A073A1ADF for <ietf@ietfa.amsl.com>; Sun, 11 Apr 2021 12:34:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FECbxBpm1Klz for <ietf@ietfa.amsl.com>; Sun, 11 Apr 2021 12:34:39 -0700 (PDT)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A6243A1ADD for <ietf@ietf.org>; Sun, 11 Apr 2021 12:34:39 -0700 (PDT)
Received: by mail-pl1-x629.google.com with SMTP id w8so2862818plg.9 for <ietf@ietf.org>; Sun, 11 Apr 2021 12:34:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=HlHIwFfSQYPS3ZIJUUzYJN5l9R0L9E0OqIEyy+PfVJ4=; b=cWckpB4jZFckcm5wrchLiXa33iMMKO7/mw/6VFkuJ44muqw8SKTvtpersEtwTNHOHx P8jP4kY0H8uAffVnwUREiVLgJQqlqGpZ49dgsOzfHGZw+xz45HOpbWOXpejSmxIwA6et FQBkWpen/+SS/zBiShwDSdOgfiVHiKfiYwraKYwjzROCB1o7sTbWEmbyFUZVzFVWPujb Ci9NipmIryA8EAuB8FW/cDE3gfnkan1o89Gd+YhYgYkOuwRfzlUdfNnn4n+ldChi6QTK j1XSDziMZc+UE5MJa8doHPi3laB8+2jUY+mYDbZi2B6l48ffetaQ9n1hQorD2onuwWpq 6v4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=HlHIwFfSQYPS3ZIJUUzYJN5l9R0L9E0OqIEyy+PfVJ4=; b=W5eYTvl1GgVMxTcEqVe7o9W3RmtofP2XJV6pX+IHV2Eqk52DprrqG6DKcgPynY2IkU cB15D8NlKzdiDDqy5H8oEg2vF1HydzeRKsumsY1r2LpzOxDHZQ+wiBHjern0rD1mIFIt ewSxqB8jvoXqJHIVTWIliEevPhYY0ZN4SIDNsgvb+KyrOND+y/ks5vdUDo2VN7OWSra/ TUZ2+O5fr+5Z8BQOCIohVKP7iIDCP3RdADhvUdfGJT2vO1+vV+QVGwcxJNgdlk3+f4YD qGlt59GzyHGcmGYwGZCHZQK1jMDZjMZmk320mphzOAzM9PSr8prjoO0GvMOZJE+KoXJ8 7fzQ==
X-Gm-Message-State: AOAM533cygumkWGFkwW2/4E5SsVI8mWNTTlEBl7luEDDrBsMAGEj7tNS DfD+rEKUPP9IYPA2QbfgQnD1UpdW00lawQ==
X-Google-Smtp-Source: ABdhPJz3UbOhoVGqEhtH29K3vlSx5W+65iQqNoJOasLNwpMEkYu4vtE2ATIEwRW2CNBGAcbAfSt4nA==
X-Received: by 2002:a17:90a:a781:: with SMTP id f1mr10578643pjq.57.1618169677361; Sun, 11 Apr 2021 12:34:37 -0700 (PDT)
Received: from mike-mac.lan (107-182-38-56.volcanocom.com. [107.182.38.56]) by smtp.gmail.com with ESMTPSA id j20sm8455328pjn.27.2021.04.11.12.34.36 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 11 Apr 2021 12:34:36 -0700 (PDT)
Subject: Re: Quic: the elephant in the room
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, IETF Discussion Mailing List <ietf@ietf.org>
References: <3b25c77d-e721-e86d-6c34-a90039aab0e2@mtcc.com> <CAMm+Lwhi8xwFgZJL7jod2g4urZt_f+dm0tNi+3y1osqOfch2mQ@mail.gmail.com> <3593a01f-73f4-7d03-a85b-dff64a8b070e@mtcc.com> <506A780B-9C0D-4F4A-B045-098F6152F4DB@akamai.com> <14cd802e-2a1b-97d4-c80d-b57f93e8cc21@mtcc.com> <CAMm+Lwj-O3NMJ+zWbfOViUXE1PBPzOZ6E1iPfZ0uWAj+1Q=_-w@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <ade4b396-507b-c969-ff32-2b3291fc14fc@mtcc.com>
Date: Sun, 11 Apr 2021 12:34:35 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <CAMm+Lwj-O3NMJ+zWbfOViUXE1PBPzOZ6E1iPfZ0uWAj+1Q=_-w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------DCE71DA353A1FF10F263D3A0"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/u6nYTIGgcwY1JOxYhHzyPCIFg18>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Apr 2021 19:34:44 -0000

On 4/11/21 12:11 PM, Phillip Hallam-Baker wrote:
> I made essentially the same argument to people at Google BEFORE the 
> DANE group was ever proposed. The answer they gave me then has not 
> changed.
>
> DANE was chartered over a decade ago. Individuals in that group made 
> clear that no input was going to be accepted from anyone who was a 
> part of the WebPKI world. The tactics used were intentionally 
> exclusionary. Those of us pointing out the limitations of the proposed 
> approach were never given a fair hearing.
>
> It is now ten years since DANE was chartered. DANE has failed beyond 
> the very limited application to SMTP which was never really covered. 
> The argument for DANE was weak before LetsEncrypt was launched and it 
> seems highly unlikely future events are going to change that.
>
>
> The TLSA model is simply the wrong model. If you want to change 
> the way discovery is done, you need to think about the full discovery 
> chain. And not least because DOH is another factor in this mix.
>
> DANE and DPRIV should have all been a part of one effort that should 
> have included the introduction of SRV records for HTTP.
>
> The key weakness in the DNS protocol is that the client-resolver 
> interaction is of an entirely different character to 
> resolver-authoritative and the current client-resolver interaction 
> only supports requests for one record at a time.
>
>
> The kick off meeting for DPRIV was quite interesting. There should be 
> standing IESG instructions to prohibit chartering of any WG that is 
> premised on the need to finish something in a year, so it is essential 
> that it be done in exactly the way the proposers have already decided. 
> Even more so when the results from DPRIV could be easily foreseen from 
> the fact it was the same group that had hijacked DNS security policy 
> with DANE.
>
> I don't claim to always do the right thing but there are some folk who 
> seem to keep doing the same thing with the same outcome and for some 
> reason they get priority over folk who have actually built stuff that 
> was successfully deployed and is in use.
>
We already have a widely adopted example where we ignored the webpki 
folks too: DKIM. Certs are simply not needed in the vast majority of 
cases. DKIM could be adapted for this too, and doesn't have the downside 
of a new RR type which is always problematic. I assume that the people 
doing DANE were looking at DKIM's success as a template. Quite 
reasonably, IMO.

And I don't know how something that could reduce the message count to 
the original 3 way handshake is somehow the "wrong model". In what way? 
Is DKIM the wrong model too?

My larger point is that a Google-like company could and should run 
experiments to reduce the message count to 3 again to finish off what 
Quic is trying to accomplish. That is achievable, the only question is 
whether it's worth it which experiments would show.

Mike

v2.23.0 | Report a Bug | By Email