Re: [secdir] secdir review of draft-ietf-idnabis-rationale-13.txt
John C Klensin <klensin@jck.com> Tue, 06 October 2009 13:35 UTC
Return-Path: <klensin@jck.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A06123A690C; Tue, 6 Oct 2009 06:35:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.561
X-Spam-Level:
X-Spam-Status: No, score=-2.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rIpAYjvdN28i; Tue, 6 Oct 2009 06:35:10 -0700 (PDT)
Received: from bs.jck.com (ns.jck.com [209.187.148.211]) by core3.amsl.com (Postfix) with ESMTP id 917303A67AE; Tue, 6 Oct 2009 06:35:10 -0700 (PDT)
Received: from [127.0.0.1] (helo=localhost) by bs.jck.com with esmtp (Exim 4.34) id 1MvADc-0000Q9-Fo; Tue, 06 Oct 2009 09:36:44 -0400
Date: Tue, 06 Oct 2009 09:36:43 -0400
From: John C Klensin <klensin@jck.com>
To: Charlie Kaufman <charliek@microsoft.com>, Paul Hoffman <phoffman@imc.org>, secdir@ietf.org, iesg@ietf.org, vint@google.com, d3e3e3@gmail.com, idna-update@alvestrand.no
Message-ID: <5D784106504F4C12EAD9FFA5@PST.JCK.COM>
In-Reply-To: <D80EDFF2AD83E648BD1164257B9B0912082837C2@TK5EX14MBXC115.redmond.corp.microsoft.com>
References: <D80EDFF2AD83E648BD1164257B9B091208282265@TK5EX14MBXC115.redmond.corp.micr osoft.com> <p06240883c6f00ff718bf@[10.20.30.163]> <D80EDFF2AD83E648BD1164257B9B091208283635@TK5EX14MBXC115.redmond.corp.microsoft.com> <17823AE7FE62B8814BE101BF@PST.JCK.COM> <D80EDFF2AD83E648BD1164257B9B0912082837C2@TK5EX14MBXC115.redmond.corp.microsoft.com>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: Re: [secdir] secdir review of draft-ietf-idnabis-rationale-13.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2009 13:35:11 -0000
--On Tuesday, October 06, 2009 07:33 +0000 Charlie Kaufman <charliek@microsoft.com> wrote: > My reading of the IDNA spec was that no query response would > ever contain a U-label, and therefore saying that if the query > response did contain a U-label then DNSSEC couldn't sign or > verify it seems nonsensical. I believe that DNSSEC is more > like part of DNS than up at the layer of IDNA; it can sign > anything that DNS can return. > > I believe the DNSSEC spec says that what is signed is the > "wire form" of the name, which should be unambiguous unless > different wire forms are used in different contexts in the DNS > protocol. For DNS servers following IDNA, the wire form would > always be an A-label or an LDH-label. > > I could easily believe that there are problems when DNSSEC > interacts with non-IDNA compliant names (either because the > term "wire form" was ambiguous in some contexts or because the > DNSSEC spec did not consistently use that terminology). But I > haven't heard anyone claim that yet. Certainly it is the case that IDNA getting into trouble with DNSSEC (or vice versa) would require at least one of -- a sloppy reading of the IDNA specs -- a sloppy reading of the DNSSEC specs -- some odd case brought about by storing UTF-8 (or other) strings in the DNS, as discussed in draft-iab-idn-encoding. Of course, we've seen sloppy readings and odd cases in abundance, including a TLD or two that has registered strings in ISO 8859-1, insisted that they are IDNs, and claimed national sovereignty when criticized for that behavior. DNSSEC would of course work even for the latter as long as queries were in 8859-1, matching the stored form (if someone tried to make an IDNA query to find an 8859-1 label, it would fail with or without DNSSEC). It seems to me that the question is whether those cases are important enough to be worth a comment in Rationale (not one of the normative IDNA specs, but the non-normative explanation) and, if so, what it should say. john
- [secdir] secdir review of draft-ietf-idnabis-rati… Charlie Kaufman
- Re: [secdir] secdir review of draft-ietf-idnabis-… Andrew Sullivan
- Re: [secdir] secdir review of draft-ietf-idnabis-… Paul Hoffman
- Re: [secdir] secdir review of draft-ietf-idnabis-… Charlie Kaufman
- Re: [secdir] secdir review of draft-ietf-idnabis-… Martin J. Dürst
- Re: [secdir] secdir review of draft-ietf-idnabis-… Vint Cerf
- Re: [secdir] secdir review of draft-ietf-idnabis-… John C Klensin
- Re: [secdir] secdir review of draft-ietf-idnabis-… John C Klensin
- Re: [secdir] secdir review of draft-ietf-idnabis-… Charlie Kaufman
- Re: [secdir] secdir review of draft-ietf-idnabis-… Vint Cerf
- Re: [secdir] secdir review of draft-ietf-idnabis-… John C Klensin
- Re: [secdir] secdir review of draft-ietf-idnabis-… Andrew Sullivan
- Re: [secdir] secdir review of draft-ietf-idnabis-… John C Klensin
- Re: [secdir] secdir review of draft-ietf-idnabis-… Sam Hartman
- Re: [secdir] secdir review of draft-ietf-idnabis-… JFC Morfin
- Re: [secdir] secdir review of draft-ietf-idnabis-… John C Klensin
- Re: [secdir] secdir review of draft-ietf-idnabis-… Andrew Sullivan
- Re: [secdir] secdir review of draft-ietf-idnabis-… Eric Brunner-Williams
- Re: [secdir] secdir review of draft-ietf-idnabis-… Paul Hoffman
- Re: [secdir] secdir review of draft-ietf-idnabis-… Elisabeth Blanconil