IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-idnabis-rationale-13.txt

Andrew Sullivan <ajs@shinkuro.com> Mon, 05 October 2009 20:55 UTC

Return-Path: <ajs@shinkuro.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B0DE33A698B; Mon, 5 Oct 2009 13:55:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.128
X-Spam-Level:
X-Spam-Status: No, score=-2.128 tagged_above=-999 required=5 tests=[AWL=0.471, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uZb2UCzo5dOB; Mon, 5 Oct 2009 13:55:09 -0700 (PDT)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by core3.amsl.com (Postfix) with ESMTP id 0881F3A68FF; Mon, 5 Oct 2009 13:55:07 -0700 (PDT)
Received: from crankycanuck.ca (69-196-144-230.dsl.teksavvy.com [69.196.144.230]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 704402FE8CA1; Mon, 5 Oct 2009 20:56:42 +0000 (UTC)
Date: Mon, 05 Oct 2009 16:56:40 -0400
From: Andrew Sullivan <ajs@shinkuro.com>
To: Vint Cerf <vint@google.com>
Message-ID: <20091005205639.GT25543@shinkuro.com>
References: <D80EDFF2AD83E648BD1164257B9B091208282265@TK5EX14MBXC115.redmond.corp.microsoft.com> <83AA9570-4B1A-4D3A-A9F1-CE73E18B4DFC@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <83AA9570-4B1A-4D3A-A9F1-CE73E18B4DFC@google.com>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: "secdir@ietf.org" <secdir@ietf.org>, "john+ietf@jck.com" <john+ietf@jck.com>, "idna-update@alvestrand.no" <idna-update@alvestrand.no>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-idnabis-rationale-13.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2009 20:55:09 -0000

On Mon, Oct 05, 2009 at 04:39:44PM -0400, Vint Cerf wrote:
> i think the point was precisely that DNSSEC should operate at DNS level 
> (using only LDH-form domain names or, in IDNA2008 parlance, A-labels. No 
> other form of label valid under IDNA2008 (such as a U-label) should be 
> used in conjunction with DNSSEC.
>
> If I have not quite got that right I am sure my colleagues on IDNA- 
> UPDATE with correct me.

That's exactly right.  DNSSEC operates on DNS responses, which are
required to be A-labels.  Therefore, DNSSEC is completely unaffected
by IDNA.

I think it would be a bad idea to add anything to any section,
including the security considerations section, that made any remarks
specifically about DNSSEC.  If someone really wanted to add something
about the effects of IDNA on the security of the DNS _as such_ (rather
than the use of labels as humnans understand them), I'd suggest
instead somethign to the following effect: "IDNA operates at a level
above DNS, and therefore does not affect the security of the DNS
protocols.  Security issues in the DNS protocols are also security
issues for IDNA, because IDNA depends on the DNS."  Or something like
that.  (But I don't think adding anything is a good idea.)  

A

-- 
Andrew Sullivan
ajs@shinkuro.com
Shinkuro, Inc.

v2.23.0 | Report a Bug | By Email