Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 3B2121B2B7F
 for <tls@ietfa.amsl.com>; Sun, 19 Jul 2015 11:18:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id bzrpqQu1DNhB for <tls@ietfa.amsl.com>;
 Sun, 19 Jul 2015 11:18:22 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108])
 by ietfa.amsl.com (Postfix) with ESMTP id 9BDFA1B2B7E
 for <tls@ietf.org>; Sun, 19 Jul 2015 11:18:22 -0700 (PDT)
Received: from fifthhorseman.net (dhcp-a29a.meeting.ietf.org [31.133.162.154])
 by che.mayfirst.org (Postfix) with ESMTPSA id 4E891F984;
 Sun, 19 Jul 2015 14:18:21 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000)
 id E8C29202E8; Sun, 19 Jul 2015 20:18:18 +0200 (CEST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Viktor Dukhovni <ietf-dane@dukhovni.org>, tls@ietf.org
In-Reply-To: <20150701035820.GJ14121@mournblade.imrryr.org>
References: <55922571.8080605@nomountain.net>
 <alpine.LFD.2.11.1506302319510.29441@bofh.nohats.ca>
 <CAHPuVdVc01v4EKM5A9OEQ2Y78b=zZeQjKHigP3NR5nAT=y7FwQ@mail.gmail.com>
 <20150701035820.GJ14121@mournblade.imrryr.org>
User-Agent: Notmuch/0.20.2 (http://notmuchmail.org) Emacs/24.5.1
 (x86_64-pc-linux-gnu)
Date: Sun, 19 Jul 2015 20:18:18 +0200
Message-ID: <87k2twm2ol.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/JNpJ6Oguv2kdPy-k-inHQUAXP_E>
Subject: Re: [TLS] draft-shore-tls-dnssec-chain-extension-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working
 group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>,
 <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
 <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jul 2015 18:18:24 -0000

Thanks for this draft, i'm definitely interested in seeing it push
forward.

On Wed 2015-07-01 05:58:20 +0200, Viktor Dukhovni wrote:
> Instead, there would need to be in various cases:
>
>     * A validated chain of CNAMEs (possibly synthesized via validated
>       DNAME RRs) leading from the client's requested SNI name to
>       a final TLSA base domain.  (0 or more CNAME/DNAME indirection
>       records and all the DNSKEY/DS/RRSIG records to validate
>       these).
>
>     * A validated chain of CNAMES from _port._proto.<base-domain> to
>       an actual validated TLSA RRset (and ...).
>
>     * The final TLSA RRset with all the requisite validation records.
>
>     * Also a potential change in the client's notion of the reference
>       identifier to match in certificates, to the final TLSA base domain.

Complicating this further, there could be a chain to an SRV or MX
record, which then needs to chain to the TLSA, in think (possibly with
CNAMEs in the mix).  This is potentially a pretty long chain.  also: how
does a multi-tenanted server know what SRV or MX chain to include in the
chain?

        --dkg