Re: [secdir] SecDir Review of draft-ietf-dane-ops-12

Barry Leiba <barryleiba@computer.org> Fri, 10 July 2015 04:40 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B3D91A888E; Thu, 9 Jul 2015 21:40:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K-g4Euy4Ve7d; Thu, 9 Jul 2015 21:40:40 -0700 (PDT)
Received: from mail-vn0-x231.google.com (mail-vn0-x231.google.com [IPv6:2607:f8b0:400c:c0f::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43F621A888B; Thu, 9 Jul 2015 21:40:40 -0700 (PDT)
Received: by vnbg129 with SMTP id g129so30567889vnb.11; Thu, 09 Jul 2015 21:40:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=9hsornuxukEQHth6R7lto6pH5SkTuwtajiHczazWDiE=; b=w1mzSsvXaaI7U3K1xM84GuRZiBxTf9/1A+iDL0IxXBq93u5YnK68RPvAgfylRb3FdW 3cNIyh6Q31qXaukGnmiO40Oj1TPWWPRChskpdy4wblqeNiezGTVDvSs+lQWMapcYq6ar 8866X7Lm6F+9ydvsQoOyFLG6c6lvYNxyIWAmB7PdYqtCqiDc6/S5UuzTuw8pVkR7e6My DONULNbMRy9Sg6f6GpbVBlReGBwKUfWEg4AIhITUS1+b8zGjVB+EqoiMDHLtinni9GnY a7MrJH67f0YAynkOYiEEpldwaRjjDY3UTmtkKCMtHmql/jJeJ1DKxAc6pjK8uPzmUiLe zK9w==
MIME-Version: 1.0
X-Received: by 10.52.38.197 with SMTP id i5mr14145084vdk.52.1436503239365; Thu, 09 Jul 2015 21:40:39 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.31.88.196 with HTTP; Thu, 9 Jul 2015 21:40:39 -0700 (PDT)
In-Reply-To: <C0E0A32284495243BDE0AC8A066631A818C43CD4@szxeml557-mbs.china.huawei.com>
References: <C0E0A32284495243BDE0AC8A066631A818C43CD4@szxeml557-mbs.china.huawei.com>
Date: Fri, 10 Jul 2015 00:40:39 -0400
X-Google-Sender-Auth: bK-Je20qxWopjFIaGXWMK-C7yVY
Message-ID: <CALaySJJdnZ4R01LthYUpvBz1TrCs8Zg2b456rrBBrw_h6sQdLg@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Tina TSOU <Tina.Tsou.Zouting@huawei.com>
Content-Type: multipart/alternative; boundary=bcaec51d205a4d1d12051a7df973
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/o0z5DA-NuiZRTYhJD8nnBRvVZUE>
Cc: "draft-ietf-dane-ops.all@tools.ietf.org" <draft-ietf-dane-ops.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, IETF Security Directorate <secdir@ietf.org>
Subject: Re: [secdir] SecDir Review of draft-ietf-dane-ops-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 04:40:41 -0000

Thanks for the review, Tina.

Just reponding to one point:

Section 4.2, page 8:
> > Publication of the server
> >    certificate or public key (digest) in a TLSA record in a DNSSEC
> >    signed zone by the domain owner assures the TLS client that the
> >    certificate is not an unauthorized certificate issued by a rogue CA
> >    without the domain owner's consent.
>
> Avoiding the double-negation improves clarity... i.e., please change to
> "...is an authorized certificate issued by a rogue CA
>     without the domain owner's consent"
>

You're right that it's best to avoid double negatives, but this actually
isn't one, and your suggestion changes the meaning completely.  Using
parentheses to show the word groupings, this is not saying that "the
certificate is (not an unauthorized certificate) issued by a rogue CA".
  It's saying that "the certificate is not (an unauthorized certificate
issued by a rogue CA)".  And this really is the best way to say that.  I
can't think of a way to reword it that isn't clunky and awkward.

Barry