Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
Shumon Huque <shuque@gmail.com> Thu, 12 April 2018 22:34 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F303127876 for <tls@ietfa.amsl.com>; Thu, 12 Apr 2018 15:34:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n8mYiMDdVgn4 for <tls@ietfa.amsl.com>; Thu, 12 Apr 2018 15:34:13 -0700 (PDT)
Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D881C12422F for <tls@ietf.org>; Thu, 12 Apr 2018 15:34:03 -0700 (PDT)
Received: by mail-it0-x233.google.com with SMTP id 142-v6so896578itl.5 for <tls@ietf.org>; Thu, 12 Apr 2018 15:34:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=H0C5aThvI/CnqF4EmWl9s51/KqcnfSPxB5w9JCNoHxQ=; b=dxlYrWQP9Nxkho+Qlzc3HX49GCuLApqz2EMw4egNpP7zXEFhLTrnf69r3ac2CZgs0d faWQ3rEsEBH2QuZ5kJdX7Y+HkDphABc1QtR2VabBuvkfAOUt7PLJH3AHb9An2i7tNYCJ QPkKZbAxAMefpZvuhz5KoA5se54CO76Iw+xNgjGHEp7bOk6lokWdE7TBNifKBVcSk0Ob OsWhbcR9rgYwGoaTs8bzL/VVJmgcLjPwWFcf8iF29ve5Z+gbr1xiUWE+j5hbfXXkAl3T HVrZiQao6bCiKcBIo+WvIgaIpqFcDnu79CzqRK8368L1k/6u2V6gKZKCbiJ7rloKoV7q /SnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=H0C5aThvI/CnqF4EmWl9s51/KqcnfSPxB5w9JCNoHxQ=; b=q9Ng3J/l6pJUZZqkp4UyzE9ICRC7ciTzDlPFGYDakNPPZR4SWmWOLiKQbthGU2hcWf hZ8eiw+a1Pen0M/hvQWLcaPpdaMYwmTxCN+oe6xD0DoJy7RFgjoR+Y8+SxaU+HFEVuWu jgbIVUHXDhMGeDA+75Qak3ZRHMwdzTKQNd5weHcKfhyR1hDuA9Uut8XQH9U8138SX2bN 4VEGxyI1jV/BpkKU99PclJoLjAgrHiqc/0H7av29lKGw9kFspCsArNYmhc8C0CiBMEF2 g+P4DVU7w/kDBPdjlgX2MTeNq+9+x9547ksygjmcV0f5C7aKQiTuU2N8wveJOSEzZlRC Ny5g==
X-Gm-Message-State: ALQs6tB5q2sHR5UFx3LXpSOwsja+BNsMOuSj5WvhOqJZIFRHBowf/kq9 r9V0fbIc2s1t/nyShMf4GE39T1RCSjE1t/eBj5h3ug==
X-Google-Smtp-Source: AIpwx4/SqQeJ1Uje02Kj/L9O0CyKQEsk8uB5dqwBNktb/I+z6xCCaFnev/R4PCXVtntjIZVmwvlN0z3gjpXLV7H7fPU=
X-Received: by 2002:a24:c902:: with SMTP id h2-v6mr2751840itg.61.1523572442785; Thu, 12 Apr 2018 15:34:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.213.131 with HTTP; Thu, 12 Apr 2018 15:34:02 -0700 (PDT)
In-Reply-To: <114FE78D-F340-4752-BEF0-459FE1548A80@dukhovni.org>
References: <CAOgPGoAhzEtxpW5mzmkf2kv3AcugNy0dAzhvpaqrTSuMSqWqfw@mail.gmail.com> <CAHPuVdXfVQ5ZYL+dTvFeTfOaz2NNPrqxvnWuqJkxu0aaKDF_Sg@mail.gmail.com> <20180410235321.GR25259@localhost> <20180411173348.GP17433@akamai.com> <alpine.LRH.2.21.1804120438460.24369@bofh.nohats.ca> <CAL02cgSuTOaT_NwnpXaa8DPhNJhzqZwepRL+J29BzcBfCTDtHw@mail.gmail.com> <CAHbuEH78KNyk8fnHThRkCERKPjZzYppi1uhkDx6kL_t448q0_g@mail.gmail.com> <20180412175441.GD20782@akamai.com> <6db83a59-1f0f-f552-0d48-6e2a8d43f602@nomountain.net> <CABkgnnUwOjkY1_KejV-YOw3YRqjFfzaYurEY1OpZ8phQVhcWLg@mail.gmail.com> <114FE78D-F340-4752-BEF0-459FE1548A80@dukhovni.org>
From: Shumon Huque <shuque@gmail.com>
Date: Thu, 12 Apr 2018 18:34:02 -0400
Message-ID: <CAHPuVdXC6zG-TF_5KrmM7A99uFvFihhkTj4qK-9ZAjOUt-rwTw@mail.gmail.com>
To: TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003deea20569ae5a33"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RkWae8Zz4khzPkRyDEfiGih42T4>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Apr 2018 22:34:15 -0000
On Thu, Apr 12, 2018 at 6:09 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > > > > On Apr 12, 2018, at 5:47 PM, Martin Thomson <martin.thomson@gmail.com> > wrote: > > > > If this is indeed about adding [goo], what prevents Viktor or Paul > > from proposing a new addition to the protocol in the form of a new I-D > > that enacts the changes they wish to see? > > Why publish a crippled specification that needs immediate amendments that > would > require a second parallel extension to be defined and used by clients and > servers > to fix the issues in the current specification? And the time to get that > second > extension would effectively delay the publication of a usable protocol. > > The protocol as described prohibits denial of existence responses. Willem > acknowledged (thus far in an off-list message) that that's an oversight > that > should be corrected, and such a correction is the substance of option (A). > As I said in a previous message, I'll support relaxing the language in the draft to permit delivery of authenticated denial chains for future applications of the protocol - I think that's just adding or modifying a couple of lines to the draft, and no wire changes. Someone actually argued to me in person that the draft could be read as not explicitly prohibiting authenticated denial (for NXDOMAIN/NODATA), but if we want to allow it, I think it's best to be crystal clear. If we can get consensus on that, then you could write a separate extension to convey the pinning information and describe the additional behavior. That in combination with the existing draft would satisfy your use case. That would in fact be an incremental addition, and not a whole new parallel protocol. Implementers that are opposed to pinning would then just ignore this second draft (and not bother with the authenticated denial part of the first draft). Since it seems pretty clear you're not going to consensus on adding pinning to the current draft, I think you should pursue this approach. And then you can try to convince implementers and deployers, now or in the future, that they need to use both extensions in combination. -- Shumon Huque
- [TLS] Consensus Call on draft-ietf-tls-dnssec-cha… Joseph Salowey
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Paul Wouters
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Richard Barnes
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Melinda Shore
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Martin Thomson
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Richard Barnes
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Richard Barnes
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Martin Thomson
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Ilari Liusvaara
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Paul Wouters
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Paul Wouters
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Paul Wouters
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Paul Wouters
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- [TLS] DPRIV has the downgrade too (Re: Consensus … Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Tim Hollebeek
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Shumon Huque
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Willem Toorop
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Paul Wouters
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Benjamin Kaduk
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Shumon Huque
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Benjamin Kaduk
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Shumon Huque
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… James Cloos
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Melinda Shore
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- [TLS] A new argument (Re: Consensus Call on draft… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Benjamin Kaduk
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Paul Wouters
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Richard Barnes
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Paul Wouters
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Richard Barnes
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Kathleen Moriarty
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Benjamin Kaduk
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Willem Toorop
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] [dane] Consensus Call on draft-ietf-tls… John Gilmore
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Ilari Liusvaara
- Re: [TLS] [dane] Consensus Call on draft-ietf-tls… Viktor Dukhovni
- Re: [TLS] [dane] Consensus Call on draft-ietf-tls… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Melinda Shore
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Martin Thomson
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Richard Barnes
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Melinda Shore
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Shumon Huque
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Martin Thomson
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Willem Toorop
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… James Cloos
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Melinda Shore
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Sam Hartman
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Jim Fenton
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Richard Barnes
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Bill Frantz
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Paul Wouters
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Joseph Salowey
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Richard Barnes
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Melinda Shore
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Paul Wouters
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Richard Barnes
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Richard Barnes
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Richard Barnes
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Richard Barnes
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Shumon Huque
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Peter Gutmann
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Joseph Salowey
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Consensus Call on draft-ietf-tls-dnssec… Joseph Salowey