Re: [TLS] TLS interim meeting material

Paul Wouters <paul@nohats.ca> Fri, 14 September 2018 16:23 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5F40130E5B for <tls@ietfa.amsl.com>; Fri, 14 Sep 2018 09:23:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BY24wLu7rn98 for <tls@ietfa.amsl.com>; Fri, 14 Sep 2018 09:23:31 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2B22130F0D for <tls@ietf.org>; Fri, 14 Sep 2018 09:23:30 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 42Bgmw6xNsz5NK; Fri, 14 Sep 2018 18:23:28 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1536942209; bh=xOdR0paojpDYtpbBFA8snfzM+9xGRj5F8cQjgtbz3Ug=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Ei/wGASLUIuKmgEX5ios30T+3bHYQzhP9Vrv7DVWdS9ft4a0DIlMNXzK/sxb6oUxz wyMRw3rrc9SokIpmid6NIUAyALmhHHo1YlS1LNlMQv86+ZDcibLoLB4PzeEI2ajQGF oOVS+RxtVy/PUJcsAyP6ajemJRy+PRYy87kUb4Xs=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id BuREzjnFqYJj; Fri, 14 Sep 2018 18:23:27 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 14 Sep 2018 18:23:26 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id A65C53797AC; Fri, 14 Sep 2018 12:23:25 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca A65C53797AC
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 9DF09412EC3C; Fri, 14 Sep 2018 12:23:25 -0400 (EDT)
Date: Fri, 14 Sep 2018 12:23:25 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Eric Rescorla <ekr@rtfm.com>
cc: "<tls@ietf.org>" <tls@ietf.org>
In-Reply-To: <CABcZeBPS9VAmQnOKJFoMMqzV-FJrMwqZjbjR-RtxcXA56z3vow@mail.gmail.com>
Message-ID: <alpine.LRH.2.21.1809141221560.25968@bofh.nohats.ca>
References: <alpine.LRH.2.21.1809121721300.5141@bofh.nohats.ca> <CAL02cgRfOF1Y_XC-=oPqB59RV97=O9_9BJHg2cE2mx3Rk0m26g@mail.gmail.com> <D29B3688-76C6-4A91-9C22-5B0C2601FB19@dukhovni.org> <CABcZeBPS9VAmQnOKJFoMMqzV-FJrMwqZjbjR-RtxcXA56z3vow@mail.gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/84kyg4A_Dt2P3gu_p7Osx7I7mT8>
Subject: Re: [TLS] TLS interim meeting material
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Sep 2018 16:23:44 -0000

On Fri, 14 Sep 2018, Eric Rescorla wrote:

>       DNSSEC lookups either return the truth or explicitly
>       *FAIL*, they don't just return "neutral" results.
> 
> 
> In theory perhaps, but as a practical matter, no browser client, at least, can do DNSSEC
> hard fail, because the rate of organic DNSSEC interference is too high. Indeed, this is
> the primary reason why DANE over TLS is interesting.

Right, the goal is hard fail on DNS manipulation. So it makes no sense
that the extension we are writing to accomplish that, would not mandate
it. There is always local policy overrides, whether for testing or
otherwise.

Paul