Re: [TLS] draft-shore-tls-dnssec-chain-extension-00

Melinda Shore <melinda.shore@nomountain.net> Sun, 19 July 2015 21:08 UTC

Return-Path: <melinda.shore@nomountain.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0070D1B2CC0 for <tls@ietfa.amsl.com>; Sun, 19 Jul 2015 14:08:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eWuG93s8MXS7 for <tls@ietfa.amsl.com>; Sun, 19 Jul 2015 14:08:52 -0700 (PDT)
Received: from homiemail-a16.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 1443D1B2C8A for <tls@ietf.org>; Sun, 19 Jul 2015 14:08:52 -0700 (PDT)
Received: from homiemail-a16.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTP id CAA80508072 for <tls@ietf.org>; Sun, 19 Jul 2015 14:08:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=nomountain.net; h= message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; s= nomountain.net; bh=5/YEbDDuJeDapvVSXl8/2re8iLk=; b=MPfcNOnlW7OdN XRdNt2jcDUqtIV+TeClWE7fvb3e+g9FKS6CDxgbyuMa/TJA0+rna2/HL1ZpNISJl 2BjM128JB43qd39CN7yq8VGKFrAMuf7xOZf/S4BScKco80MWppWs4baWBwPaeufS xjTfi9VeU1xK+BVWam6jVc/krRQlwk=
Received: from spandex.local (74-124-99-152-rb2.sol.dsl.dynamic.acsalaska.net [74.124.99.152]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: melinda.shore@nomountain.net) by homiemail-a16.g.dreamhost.com (Postfix) with ESMTPSA id 784A3508064 for <tls@ietf.org>; Sun, 19 Jul 2015 14:08:51 -0700 (PDT)
Message-ID: <55AC11DE.5070508@nomountain.net>
Date: Sun, 19 Jul 2015 13:08:46 -0800
From: Melinda Shore <melinda.shore@nomountain.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: tls@ietf.org
References: <55922571.8080605@nomountain.net> <alpine.LFD.2.11.1506302319510.29441@bofh.nohats.ca> <CAHPuVdVc01v4EKM5A9OEQ2Y78b=zZeQjKHigP3NR5nAT=y7FwQ@mail.gmail.com> <20150701035820.GJ14121@mournblade.imrryr.org> <87k2twm2ol.fsf@alice.fifthhorseman.net> <20150719194943.GO28047@mournblade.imrryr.org>
In-Reply-To: <20150719194943.GO28047@mournblade.imrryr.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/K-CtpSBMIfdT1jfmefNPDnHNu_U>
Subject: Re: [TLS] draft-shore-tls-dnssec-chain-extension-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jul 2015 21:08:53 -0000

On 7/19/15 11:49 AM, Viktor Dukhovni wrote:
> My reading of the draft is that it is primary aimed at making DANE
> practical for HTTPS,  where last-mile considerations on the client
> end are a significant part of the adoption barrier.
> 
> For HTTP, MX and SRV records are out of scope.  Clients that depend
> on DNS to the extent of determining the server identity based on
> MX or SRV records, already need DNSSEC to avoid MiTM issues, and
> at least in the case of SMTP and XMPP are expected to handle DANE
> without stapled TLSA RRsets (and associated RRSIG/DNSKEY/DS chains).

Yup, exactly.  Thanks.

Melinda


-- 
Melinda Shore
No Mountain Software
melinda.shore@nomountain.net

"Software longa, hardware brevis."