IETF Logo Mail Archive

Re: [TLS] TLS DNSSEC chain consensus text, please speak up...

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 16 May 2018 04:22 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E256127871 for <tls@ietfa.amsl.com>; Tue, 15 May 2018 21:22:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.301
X-Spam-Level:
X-Spam-Status: No, score=-2.301 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EWCQT0myPzS6 for <tls@ietfa.amsl.com>; Tue, 15 May 2018 21:22:43 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3498D127869 for <tls@ietf.org>; Tue, 15 May 2018 21:22:43 -0700 (PDT)
Received: from [192.168.1.161] (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 4F8E57A3309 for <tls@ietf.org>; Wed, 16 May 2018 04:22:42 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <795f96a1-e2b2-6a89-555c-c856d07838cf@nomountain.net>
Date: Wed, 16 May 2018 00:22:41 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: TLS WG <tls@ietf.org>
Message-Id: <86E426FA-9F05-4B5C-A51A-44723C46AB26@dukhovni.org>
References: <5E208416-CC05-4CA0-91A4-680045823E82@dukhovni.org> <795f96a1-e2b2-6a89-555c-c856d07838cf@nomountain.net>
To: TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KlumZwfjHdDLNEFTF2GMOae02Gs>
Subject: Re: [TLS] TLS DNSSEC chain consensus text, please speak up...
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 May 2018 04:22:44 -0000


> On May 16, 2018, at 12:08 AM, Melinda Shore <melinda.shore@nomountain.net> wrote:
> 
> At any rate this is starting to feel like abuse of process.

I was simply following a security AD's suggestion from today's earlier
thread with the AD's authors and chairs:

> Therefore, if you want to make that change, you need to persuade the WG.

I still think that the WG has not had a chance to fully consider the
specific issue of reserving the two bytes as part of the present
remediation to remove the unwanted (by anyone of us) unilateral
client-side pinning.  The proposal is conservative, and does not
contradict the consensus to remove pinning for now.  It just leaves
the door open going forward, at negligible cost (two bytes on the
wire in bandwidth, and zero in implementation).

Therefore, based on the above advice, I am giving the WG the benefit
of the doubt.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email