Re: [secdir] Security review of draft-ietf-dnsop-onion-tld-00.txt

Mark Nottingham <mnot@mnot.net> Sat, 29 August 2015 10:10 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9969D1B2FCB; Sat, 29 Aug 2015 03:10:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VDbucbhrQOiE; Sat, 29 Aug 2015 03:10:54 -0700 (PDT)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28B1E1B2E99; Sat, 29 Aug 2015 03:10:54 -0700 (PDT)
Received: from [192.168.0.26] (unknown [120.149.147.132]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 4F2EB22E1F4; Sat, 29 Aug 2015 06:10:46 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CALaySJLD7WQG_2Zj2bU1_1TvTOVtVnw+YdirupFX5eAYu4CVOA@mail.gmail.com>
Date: Sat, 29 Aug 2015 20:10:44 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <E178C22F-11F1-4FD7-89CC-5B2F8D1F3C44@mnot.net>
References: <007601d0c2c3$7615b610$62412230$@huitema.net> <CAHbuEH7RSdDmJK3i0e0W+kW0TSsbCNqQx7S+ZKp1Zx+7-uRjhw@mail.gmail.com> <841F8AF6-D800-4232-A900-7FB3872DE1D7@fb.com> <CAHbuEH66yK9JqnnK4UnoC1wtkL1d6S-JeL5twx6izM9o-R_BNg@mail.gmail.com> <CALaySJLD7WQG_2Zj2bU1_1TvTOVtVnw+YdirupFX5eAYu4CVOA@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
X-Mailer: Apple Mail (2.2102)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/kJ6yU6ZzhLl7O0fHaLmOiVDCKRw>
Cc: secdir <secdir@ietf.org>, Alec Muffett <alecm@fb.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "draft-ietf-dnsop-onion-tld.all@tools.ietf.org" <draft-ietf-dnsop-onion-tld.all@tools.ietf.org>, The IESG <iesg@ietf.org>, Brad Hill <hillbrad@fb.com>
Subject: Re: [secdir] Security review of draft-ietf-dnsop-onion-tld-00.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Aug 2015 10:10:56 -0000

Barry,

> On 29 Aug 2015, at 12:55 am, Barry Leiba <barryleiba@computer.org> wrote:
> 
> Supporting one point about updating the draft:
> 
>>> At the suggestions of Mark Nottingham & Richard Barnes (cc:) we have
>>> refrained from issuing revisions to the draft because of the impending
>>> 2015-09-03 IESG telechat, in order that discussion does not derail for
>>> pursuit of a moving target
>> 
>> Comments from other ADs are asking about the comments that have not
>> been addressed.  The effect of this is that the ADs are reviewing and
>> don't know if outstanding comments from reviewers in last call will be
>> addressed.  I recommend asking the sponsoring AD if you could upload a
>> new version today.  I didn't cast my ballot after reading it yet as
>> the SecDir review wasn't addressed and Christian had some good points.
>> 
>> If we at least had a version to look at that addressed the points, it
>> would help some of us... even if it's posted elsewhere.
> 
> I really don't understand the allergy that some of us seem to have
> toward updating drafts.  The fact that people are reviewing the draft
> shouldn't matter.  Why, if there are updates pending, should anyone
> consider it more useful to continue to have people review an old
> version, when we could be posting a new one for review?  It makes no
> sense to me, but it's common advice.
> 
> I suggest we encourage people to post revisions when they think it
> would be useful, and only hold back under specific circumstances that
> we think merit an unchanging draft for a while (such as, we have
> updates proposed but they're still being batted around and aren't
> ready to commit yet).
> 
> I'd rather have people reviewing the latest version, rather than
> re-raising things that were already discussed and addressed.

*sigh*

I'm sure the authors will be happy to update the draft. The advice we Richard and I gave was ~two days before the IESG telechat, and it didn't seem wise to update it at that point.

If the IESG would like to set a clear, unambiguous policy about this, I'm sure it would be welcomed; personally, I've heard advice both ways, and have not yet figured out how to make everyone happy.

Cheers,

--
Mark Nottingham   https://www.mnot.net/