IETF Logo Mail Archive

Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Nico Williams <nico@cryptonector.com> Thu, 05 April 2018 02:30 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBB8D12785F for <tls@ietfa.amsl.com>; Wed, 4 Apr 2018 19:30:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KjZtymJBkeM4 for <tls@ietfa.amsl.com>; Wed, 4 Apr 2018 19:30:21 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30975126B6D for <tls@ietf.org>; Wed, 4 Apr 2018 19:30:21 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTP id E22F9A00400F; Wed, 4 Apr 2018 19:30:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=pwT0FK5dPcseKh ReX4oPivXS1Bg=; b=VGiNpgUcZS7kope689PlZOK0JWfr8LHbHtbOuO9fAyX71R xNX4kWTL23eoUhUCMrd1i0ViHhMQU97NItX29mJFgBRG1C215Ngbe0KBHL7428IN YOy/6aZdAnXAXoc5hIxhl8Ezf12+Q+U4/6qjaxoPce393v7bx8XYSZVl1+xtY=
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTPSA id 8EEE8A000B3C; Wed, 4 Apr 2018 19:30:20 -0700 (PDT)
Date: Wed, 04 Apr 2018 21:16:25 -0500
From: Nico Williams <nico@cryptonector.com>
To: Joseph Salowey <joe@salowey.net>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <20180405021624.GF25259@localhost>
References: <CAOgPGoAhzEtxpW5mzmkf2kv3AcugNy0dAzhvpaqrTSuMSqWqfw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAOgPGoAhzEtxpW5mzmkf2kv3AcugNy0dAzhvpaqrTSuMSqWqfw@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QJzwZDt6sw3z3iKF-qo5-z_-ruU>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Apr 2018 02:30:23 -0000

On Wed, Apr 04, 2018 at 10:50:15AM -0700, Joseph Salowey wrote:
> Some objections were raised late during the review of
> the draft-ietf-tls-dnssec-chain-extension. The question before the working
> group is either to publish the document as is or to bring the document back
> into the working group to address the following issues:

For the record, I've had a document need changes after IESG publication
approval that were then made with a WG LC for those changes rather than
a repeat of WG LC, IETF LC, and IESG review.

I'm surprised that this changes should require "bring[ing] the document
back into the working group" if by that you mean going through the full
process all over.  Though, to be sure, I don't object if that's the
required path now, but I don't want people to feel compelled to be
against this LC on account of the delay in publication being much
bigger, not if there's a shorter method.  (Also, I don't mind a delay
all that much: it's hardly that big a deal; RFCs often end up stuck in
AUTH48 for much much longer!)

> - Recommendation of adding denial of existence proofs in the chain provided
> by the extension
> - Adding signaling to require the use of this extension for a period of
> time (Pinning with TTL)
> 
> This is a consensus call on how to progress this document.  Please answer
> the following questions:
> 
> 1) Do you support publication of the document as is, leaving these two
> issues to potentially be addressed in follow-up work?

I do not.

> If the answer to 1) is no then please indicate if you think the working
> group should work on the document to include
> 
> A) Recommendation of adding denial of existence proofs in the chain
> provided by the extension
> B) Adding signaling to require the use of this extension for a period of
> time (Pinning with TTL)
> C) Both

At least (B), and preferably (C).

My rationale for (B) is that this is the sort of thing where adding it
from the get-go will yield deployment where DANE is not mandatory for
the application whereas not adding it now will yield non-deployment of
DANE in such applications for a very long time.

My rationale for (C) is that (A) is trivial, so might as well throw it
in.  Mind you, (B) is also trivial (two bytes! to be conveyed however
you want, with 0 -> clear the pin to DANE).

Thanks,

Nico
--

v2.15.0 | Report a Bug | By Email