Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Joseph Salowey <> Wed, 18 April 2018 18:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8F974120454 for <>; Wed, 18 Apr 2018 11:22:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pM_MtoHgExuv for <>; Wed, 18 Apr 2018 11:22:46 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 143A91200FC for <>; Wed, 18 Apr 2018 11:22:46 -0700 (PDT)
Received: by with SMTP id v2so2760737qkh.10 for <>; Wed, 18 Apr 2018 11:22:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=4acwQPnoaz7HuT8jrLDy6Sj7kQTR3NpaIxV949PWioc=; b=tI/UqK6430CXbzzt9u6eOPZsX1qmZbHQ23lATvOT6pwOzbRVU8yuMsWhIdFnnFpOnZ Oym1M5tX5f09diG+Co93afuFucwxIzFjSI8FWFQHlJOKX7c/wwBzAG9VYADlkeVF+3u1 KG2pMgNzjUvRyf44Rb5PkyrxEjVXQebRw3q6gWCU+bogWO/nE3CKXcNYU7CJp//GXvX8 9Xg8iIVOLDnw+5Fqeonj/MQsDMq7MPrT725KkFHGxonrPq+LS4aEe5tAn8DdFIWMJAfI MWzUxo1UjUj9wKjZS3ywkyLE7COffujpyATXSf5S5uDVOzAOeM27xVtZwgbyXPC3zAD2 lnLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=4acwQPnoaz7HuT8jrLDy6Sj7kQTR3NpaIxV949PWioc=; b=IUn+mtEAl9s1/tvqMxX/QuDfK6rvLstlFMlZGcoGUZMr4bLD6H6JqBHtZPWcIqUn5X KhTj3OL81vlGO4exd6t1uQ53xbxrSRGhEISj47LuAxu/ZFvwethircJI48X+099oIKNV 16HejPUfg9xOJ3RMwsfMBvhmpaPkx/kJ5sRcZH4ObKBvShSfQzjmwk7CXa/mGDc2kuDa 8yMRO+Ou4wyagIICw/ydXunANFwvxl5Lm3I3j5UMEVlHD2qov0Wu01SekKqQrQOI9ROT pZHH22t8wnNiK1pC1UuEWL/m91W0pkk8p3IOta4jsWD6TFzTQvaAG2dga40bD25VIzoi fC2A==
X-Gm-Message-State: ALQs6tDr/OoCS3DgwE6tnsqhrTsOs8b0WHfBjeZqWmP0RM76/VS5uF7b L9sXqUTvFHpgtRojuX0GZA4RfRCF9dVVpFWvajU91QO7
X-Google-Smtp-Source: AB8JxZqOxleyfRrPWniWRcDbVdsS1/HNcT/h1e4G/ulAeONlgcsMPoKtu2FRV1n5mhhyfIDIgj3EG2PSiUOesQTQmiU=
X-Received: by with SMTP id f187mr2768973qkd.97.1524075764926; Wed, 18 Apr 2018 11:22:44 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 18 Apr 2018 11:22:24 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Joseph Salowey <>
Date: Wed, 18 Apr 2018 11:22:24 -0700
Message-ID: <>
To: "<>" <>
Content-Type: multipart/alternative; boundary="94eb2c07019294621c056a238afc"
Archived-At: <>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 18 Apr 2018 18:22:48 -0000

We've had a lot of discussion on this thread that has pointed out that
there are enough issues with the current document that we should recommend
that the AD pull it back from the RFC editor.

Concerns have been raised about the trade-offs associated with pinning and
I do not think we currently have consensus to add pinning.  While I think
it may be possible to come to consensus on pinning I think it may take some
time.  I believe we can quickly get consensus for the following approach:

1. Scope the document to the assertive use cases
2. Explicitly allow (but do not require) DoE be included
3. Remove current text about pinning
4. Re-submit the document for publication and start work on a separate
extension that supports pinning

I understand that not everyone is happy with publishing the document scoped
down in this way, but there is a community of users who would find it
useful.  I am soliciting suggestions for text for the 1-3 and I encourage
proponents of the more restrictive use case to get a draft together that we
can consider for adoption by the working group.

I also want to thank the participants for keeping the discussion mostly
civil and having patience as we go through this process.


On Wed, Apr 4, 2018 at 10:50 AM, Joseph Salowey <> wrote:

> Hi Folks,
> Some objections were raised late during the review of
> the draft-ietf-tls-dnssec-chain-extension. The question before the
> working group is either to publish the document as is or to bring the
> document back into the working group to address the following issues:
> - Recommendation of adding denial of existence proofs in the chain
> provided by the extension
> - Adding signaling to require the use of this extension for a period of
> time (Pinning with TTL)
> This is a consensus call on how to progress this document.  Please answer
> the following questions:
> 1) Do you support publication of the document as is, leaving these two
> issues to potentially be addressed in follow-up work?
> If the answer to 1) is no then please indicate if you think the working
> group should work on the document to include
> A) Recommendation of adding denial of existence proofs in the chain
> provided by the extension
> B) Adding signaling to require the use of this extension for a period of
> time (Pinning with TTL)
> C) Both
> This call will be open until April 18, 2018.
> Thanks,
> Joe