Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Viktor Dukhovni <> Thu, 12 April 2018 22:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AA7A312D7F9 for <>; Thu, 12 Apr 2018 15:09:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wSSUvGEGMZyW for <>; Thu, 12 Apr 2018 15:09:34 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2A4E812895E for <>; Thu, 12 Apr 2018 15:09:34 -0700 (PDT)
Received: from [] (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id B97A27A3309 for <>; Thu, 12 Apr 2018 22:09:32 +0000 (UTC) (envelope-from
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Viktor Dukhovni <>
In-Reply-To: <>
Date: Thu, 12 Apr 2018 18:09:31 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: TLS WG <>
Message-Id: <>
References: <> <> <20180410235321.GR25259@localhost> <> <> <> <> <> <> <>
To: TLS WG <>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Apr 2018 22:09:35 -0000

> On Apr 12, 2018, at 5:47 PM, Martin Thomson <> wrote:
> If this is indeed about adding [goo], what prevents Viktor or Paul
> from proposing a new addition to the protocol in the form of a new I-D
> that enacts the changes they wish to see?

Why publish a crippled specification that needs immediate amendments that would
require a second parallel extension to be defined and used by clients and servers
to fix the issues in the current specification?  And the time to get that second
extension would effectively delay the publication of a usable protocol.

The protocol as described prohibits denial of existence responses.  Willem
acknowledged (thus far in an off-list message) that that's an oversight that
should be corrected, and such a correction is the substance of option (A).

The protocol as described does not provide any mechanism for client to
distinguish between servers that are ready to commit to the extension
and those are not.  This negates applicability in applications that
exist in a world dominated by the WebPKI.  Note that I also don't
advocate any magical vision of the WebPKI going away any time soon.
Indeed some of these applications (e.g. browsers) might choose
to support only *at least* WebPKI, with DANE for optional hardening
(PKIX-TA(0), PKIX-EE(1)), but the present draft provides no downgrade
protection for this use-case.

The additional commitment signal is a hint to clients, not an obligation,
it carries negligible cost, and can be finalized now.  It enables more
potential applications, without going back to square-zero and doing another
year in the IETF WG process to address the gap.

Let's do the right thing and fix now.  The entire cost is just a small
delay, there is zero downside after that.  No imposed complexity.  Just
an improved scope.  We all want to get stuff published and out the door,
but let's take a *little* extra time to make sure it is not needlessly