Re: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-rfc6844bis-06: (with COMMENT)
Jacob Hoffman-Andrews <jsha@eff.org> Thu, 30 May 2019 22:19 UTC
Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1B3C1200C1 for <spasm@ietfa.amsl.com>; Thu, 30 May 2019 15:19:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.425
X-Spam-Level:
X-Spam-Status: No, score=-7.425 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.415, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GpKKcQzYdtqP for <spasm@ietfa.amsl.com>; Thu, 30 May 2019 15:19:10 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04D05120004 for <spasm@ietf.org>; Thu, 30 May 2019 15:19:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version: Date:Message-ID:From:References:To:Subject:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=OnSGYTnaSRrPrOEc5ZGqaJbF8eKb4613p/T2bJqhc4A=; b=Fsnv/DUMDbdXN1+VHiIaqdt/qQ Dzv9dzPVKoO2NVrPohm5HIaLJAn5jaADzkt+sJ1+Rcj9ZugbXPxFTymwNiaDiuERQv+YueVgFsyTv qynzzMaQYyZtUafMqTSh0v7tcHI8VKSTj++c8ZAgZVhN5oBGqR9IIKouXi193M3Fqnfk=;
Received: ; Thu, 30 May 2019 15:19:09 -0700
To: spasm@ietf.org
References: <155838482753.12864.7318594608163615168.idtracker@ietfa.amsl.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <b062d1c6-7783-7dee-1f5c-d18699c0d788@eff.org>
Date: Thu, 30 May 2019 15:19:08 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <155838482753.12864.7318594608163615168.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/wvvF49EMZiHeKg0aklLIWT3AbTw>
Subject: Re: [lamps] Éric Vyncke's No Objection on draft-ietf-lamps-rfc6844bis-06: (with COMMENT)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2019 22:19:12 -0000
> == COMMENTS == > > -- Section 2.2 -- > > "Domain Name: The label assigned to a node in the Domain Name System." AFAIK > RFC 1034 defines it differently "The domain name of a node is the list of the > labels on the path from the node to the root of the tree" Or are we talking > about different "domain names" ? Thanks, this is good feedback. I adopted language that matches the CA/Browser Forum Baseline Requirements, for better integration there: > Domain Name: The label assigned to a node in the Domain Name System. > Fully-Qualified Domain Name: A Domain Name that includes the labels > of all superior nodes in the Domain Name System. So FQDN matches the "list of labels" definition pretty well. However, looking at this made me realize that this draft says "Domain Name" in a lot of places that should say "FQDN." I'll change all these to FQDN in the next draft. > "Wildcard domain name": it would be interesting to define not only the syntax > but also the semantic do those wildcard domain names. These are defined in https://tools.ietf.org/html/rfc6125#section-6.4.3. > While I am not a security expert, a TLD could add a CAA forcing all its FQDN to > either use the CA defined in the TLD CAA RRset or add a per FQDN CAA (which may > raise the bar for small not-so-managed domains which otherwise could have used > a cheap and easy CA such as letsencrypt). Is it really good to climb the DNS > tree up to the TLD? Just curious. This is sub-optimal, but unfortunately there's no good programmatic way to determine where the TLD begins. For instance "example.co.uk" vs "example.com". The DBOUND WG is working on this problem but it's not solved yet. Since there's an option for subdomains to set their own CAA policy, the negative effects of such a choice by a TLD are not too bad. > I would have preferred a recursive definition rather than an interative > algorithm but this is a matter of taste ;-) I agree, but since it's a matter of taste I decided to err on the side of "similar to previous algorithm" so it's easy for CAs to analyze the differences.
- [lamps] Éric Vyncke's No Objection on draft-ietf-… Éric Vyncke via Datatracker
- Re: [lamps] Éric Vyncke's No Objection on draft-i… Jacob Hoffman-Andrews