Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Richard Barnes <> Wed, 04 April 2018 21:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A9898126BF0 for <>; Wed, 4 Apr 2018 14:53:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xkPWqm_37EmH for <>; Wed, 4 Apr 2018 14:53:14 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c0f::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 82DAB120454 for <>; Wed, 4 Apr 2018 14:53:14 -0700 (PDT)
Received: by with SMTP id i28-v6so25062870otf.8 for <>; Wed, 04 Apr 2018 14:53:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=RHpsc7DSbmwN3riHyirZYjSlZmgkf8Lq+RanKkGCupA=; b=frTd/hjyqGYdsvzvJiF47nzbistZvWc1xXqsZnMf58Y1UZrPfMR+C7PD3B0lsEW+jx a/QR/hAdW01zvNR0D2dvpzaCQHzoyEhD3eF7bKXJAR4AMYTnBS+XgLOZESohQBiib4qs XaHWMldFaiu0dHaysH8RclEVewMqa6JbLqU3adTihAWrqQlbJPwML8DjyaP5PDtAvMZr ivkbICNpr8rXdIDWkTifit1jOghIDxSsK+VHljXy3is0P3jmEMTYqgX7jDifoDpmjW50 17Yaf5oAHIp90MXCBaLgec2sI9PXfDfu4idNyFXLPHwGoGT7ndVxvzu1ZZ1+HsUH2goe Py9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=RHpsc7DSbmwN3riHyirZYjSlZmgkf8Lq+RanKkGCupA=; b=ocLa93W9Pe+nqpdOUNznoVaNCkZ2IekZG8nDvuGmSCp0Nrax9Swvs3jYK+fAgSf0m9 pIxS0Rs2ySX51PdaRMVhiE7sLuP7QFdVLMULOSvyUypN6yfksPmDlf5gIQZzrcaEv9U9 ZZpqQzAgOaxwADyoG+xSJM7enz3mm26XEW2T1FWEY3fiKxK35jQZMmI4C6fz5QKuCIca +ez8kRfS7B5cWOFCMcMQ3tX4ZphKmhFFn9FiX/l9/zHsukVawN6q9sU9PnB5BTq0V6ze m/095JpY2ETY7OAfz3oL9ZUDYB4+TpzOHgZyvgEJU3mlLk+p0wjUP+JA3veYDpAvWDxI grEA==
X-Gm-Message-State: ALQs6tC4wOj/ZzGp9qICxzzwi+IGi9ErHH9tOYsg90gdBX7Lwikm2SFQ EFHfA2+iZNAbBpSr97JBdAz6f80aAbEMKK5tIJjInA==
X-Google-Smtp-Source: AIpwx48ceuNprkUisStfruCqW/BK5Vr8VQOIeIcpcrRPXUhuiSWwGKvvTeSjPJ6EdEU0oES3PhgiacJju4q3mGD7Ot4=
X-Received: by 2002:a9d:1920:: with SMTP id j32-v6mr12541957ota.383.1522878793531; Wed, 04 Apr 2018 14:53:13 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 4 Apr 2018 14:53:13 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Richard Barnes <>
Date: Wed, 04 Apr 2018 17:53:13 -0400
Message-ID: <>
To: Joseph Salowey <>
Cc: "<>" <>
Content-Type: multipart/alternative; boundary="0000000000008658ad05690cd9c2"
Archived-At: <>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Apr 2018 21:53:18 -0000

On Wed, Apr 4, 2018 at 1:50 PM, Joseph Salowey <> wrote:

> Hi Folks,
> Some objections were raised late during the review of
> the draft-ietf-tls-dnssec-chain-extension. The question before the
> working group is either to publish the document as is or to bring the
> document back into the working group to address the following issues:
> - Recommendation of adding denial of existence proofs in the chain
> provided by the extension
> - Adding signaling to require the use of this extension for a period of
> time (Pinning with TTL)
> This is a consensus call on how to progress this document.  Please answer
> the following questions:
> 1) Do you support publication of the document as is, leaving these two
> issues to potentially be addressed in follow-up work?

I support publication of the document as is.  I would also be comfortable
with a minor modification to say that TLSA certificate usages 0 and 1 (the
restrictive ones) MUST NOT be used with this mechanism.

Even if this document is restricted to the assertive use cases, it can
still be used in cases where clients and servers have agreed to forego the
"normal" PKI and rely on DANE, or in cases where servers are able to switch
between DANE and non-DANE authentication depending on the client's
capabilities.  The former pattern could be made to work in the web if there
were interest; I believe DKG has indicated that DPRIVE might fall in the
former category.

While there may be utility in the restrictive use cases, the discussion to
date indicates that there is sufficient complexity and controversy involved
in making that work that we should not block this document from enabling
assertive use cases while that is in progress.


> If the answer to 1) is no then please indicate if you think the working
> group should work on the document to include
> A) Recommendation of adding denial of existence proofs in the chain
> provided by the extension
> B) Adding signaling to require the use of this extension for a period of
> time (Pinning with TTL)
> C) Both
> This call will be open until April 18, 2018.
> Thanks,
> Joe
> _______________________________________________
> TLS mailing list