Re: [TLS] Interim notes and draft-ietf-tls-dnssec-chain-extension next steps

Tom Ritter <tom@ritter.vg> Tue, 09 October 2018 15:54 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C1CF13135A for <tls@ietfa.amsl.com>; Tue, 9 Oct 2018 08:54:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ritter.vg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VWgXKbSht4mS for <tls@ietfa.amsl.com>; Tue, 9 Oct 2018 08:54:01 -0700 (PDT)
Received: from mail-it1-x12f.google.com (mail-it1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87B5913134F for <tls@ietf.org>; Tue, 9 Oct 2018 08:54:01 -0700 (PDT)
Received: by mail-it1-x12f.google.com with SMTP id q70-v6so3382001itb.3 for <tls@ietf.org>; Tue, 09 Oct 2018 08:54:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=S/ek9lHsPxkZ4N2+cQXktGPrcuc4cHBPl/iegO/08bY=; b=ZXV5O3jGy758/18tuBK06661dBSAk3LVVg7I15pKSbHoMBtLYDZutu/jC2jDpjMMP6 XwS2KAtsBgtS+8G9r0belicpCZBzo/SuVzKHxtNjlEm0iPK1mi9xydI/dIRazHRXlZDx lFzpI+Exe6jHwx6ii9gN7Kx1VS2EFLgsWfGsk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=S/ek9lHsPxkZ4N2+cQXktGPrcuc4cHBPl/iegO/08bY=; b=GvodPM0MbxH+A5SdgBd691HAToEUTyp5hNTUSqc8L/NPZOY//SeaMIJ5A8NgTJDk0Q M0UmHS4f25/VP4G4lqPnF3H94f+JqqxPVbsxjUjJkEpTM9sFOe78DrqWwm03ACJYUAl1 d81Xtgf3Uof6xoLaTd3z9zAqBVpeQOyXjK+s6wxATcEG3H3xTg9S5Jos2vGnExwLXE6Q QUeH/kM+RQ59FHzTgGRlqWUPTOKL5aBKCvo7+DDfHwq1NxWPh8iel+j7cRqdYLLWRSNx mA0bph8ruA4wBUKt9L9YSq2G4VQ1DnIMVvszDmbdCELAVF6Es6H8SPFeTXdjc27Qm0iQ Lexw==
X-Gm-Message-State: ABuFfog/nLtdvO3EgFgTYeN/p5AJvDOpKT1y0/+ugWqH5ZplQl+IvDBK t/2Lu2VMDu3iLNlAVHnsD21ZcyqqN/iLDP32MDwv/A==
X-Google-Smtp-Source: ACcGV62yq6UhyAJevNB/lkDLuzhZAkl+ns31aTURsH/Y+Upay5nCyimgDPR2vdB3D/tf1tkm+RyqT1AA6xj2Tq+NneE=
X-Received: by 2002:a24:da42:: with SMTP id z63-v6mr2132647itg.111.1539100440672; Tue, 09 Oct 2018 08:54:00 -0700 (PDT)
MIME-Version: 1.0
References: <CAO8oSXnv5Gpdw-0c9jXtx1rQqpgwmfrZyiFgHF=Kd5qWZSMPCA@mail.gmail.com>
In-Reply-To: <CAO8oSXnv5Gpdw-0c9jXtx1rQqpgwmfrZyiFgHF=Kd5qWZSMPCA@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Tue, 9 Oct 2018 15:53:48 +0000
Message-ID: <CA+cU71moK=U0djit0WuBNL7rAMzT5b5RMRPsHZZtj8wL9GEJ5A@mail.gmail.com>
To: christopherwood07@gmail.com
Cc: TLS WG <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HpA1MadzGlImS5LssiCmDU3YPaU>
Subject: Re: [TLS] Interim notes and draft-ietf-tls-dnssec-chain-extension next steps
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Oct 2018 15:54:04 -0000

I was not at the interim, so this email comes without context of that
discussion. Apologies if this was exactly what the chairs didn't
want...

On Tue, 9 Oct 2018 at 00:10, Christopher Wood
<christopherwood07@gmail.com>; wrote:
> - October 8 through October 19: Discuss the problem statement. In
> particular, if anyone feels the problem statement captured in the
> draft introduction [2,3] or in the above "facts" is incorrect,
> imprecise, or misleading, please say so, and say why (in a succinct
> fashion).

I agree with the facts presented in the email. I find the problem
statement in Section 2 of
https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension-07
to be imprecise.

Whether or not something is imprecise is often only discoverable in
hindsight, given disagreements about it. That seems to be the case
here.

Specifically, it does not state if the intent of the draft is to
enable a *server* to limit authentication of itself to this mechanism.
It only talks about enabling a client to authenticate the server.
Basically the draft doesn't say if it's supposed to specify a pinning
mechanism or not. Since it omits it, my assumption would be that it
_would_ not and _should_ not specify a pinning mechanism. (If it did
specify a pinning mechanism, then the draft is solving a problem not
explained in the introduction.)

-tom