Re: [TLS] Adam Roach's Yes on draft-ietf-tls-dnssec-chain-extension-06: (with COMMENT)
Shumon Huque <shuque@gmail.com> Wed, 07 February 2018 04:23 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4626124319; Tue, 6 Feb 2018 20:23:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id loUuMaUU8BWc; Tue, 6 Feb 2018 20:23:57 -0800 (PST)
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DC06120227; Tue, 6 Feb 2018 20:23:57 -0800 (PST)
Received: by mail-it0-x22e.google.com with SMTP id u12-v6so14145151ite.0; Tue, 06 Feb 2018 20:23:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xs8MYBukQIUmbWO3XXsBH97HLipZi8TOzHHtmc+inZk=; b=VK3D++LI392h6iIczYChq+Rte0eUSbM4H5dO/jENgtsycDKdIK2GqDdRminjsTwBp7 AEwA8TCYamORj7HzgAocFMkldm48YSkNCOCpO+zBBg4qmrqxd8IBTdRLtBCXAW9AO/3A 9HU4MdSvIuFMgArqvHkaGekysfUwVJgG74ALYg43oDUyN2wcHSWgdrXN19y7P4TUKDEM DU/JpWuie6PE2O0fzLsKTPKNgkZjdDU7S5YupR9MnYjych+ubt2kRvTo5cueUr82kCpU xoPQh1TyQR+0TzKe+2diI77aT5e68+Aozui+EcZBE3FDI25lZ2K1bUhKnp3MyLkU1C7u E+FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xs8MYBukQIUmbWO3XXsBH97HLipZi8TOzHHtmc+inZk=; b=m1IDh/dRuCdmPEM8I4pORSqYCitejPxnABX5wUNhd02QnAs1D5/fUY8ijeWvLc5vL5 4fUEYTxjaUsWkijphntnOdu3WFvVJSPwLeXMmh0VRKtiPgstSiTBfkq9x7fpuQXd0ZLD rBeQM0Rna8lE7Syh1TYJJijmQLn1EXNQKIhr+nNZNNx7O0vz4wmw/IgIM6HZnU8rzHf5 BrO5Ej5shf3VqW3/MaEsofKa/g3J87vamPY+07CCXikC5Fi5IVBZ3swd31ycrdt/iNY6 z4svsXtTWXYVnsLYXzVJk9oQ4xrk4LB0zQYYbVIBqDrVDhAHZFj3zeDkV3a5nOlZKXxf MUCA==
X-Gm-Message-State: APf1xPCY4llqp/rIJVw5fdgQRBaCYPhscBC8e1XVrPtFWslodZq7n1Um 6Yb5SWcE+I83dtCcjts/JHksZ4MzqF5bKKoj4IU=
X-Google-Smtp-Source: AH8x227lfIaNg68bILDiALIs4p0w2AcKy8bXxJCbnv/Ts3lC9RH1CRCG5XIVLhpeGa46CRnntUkpYeZgOu+uU0dOhBI=
X-Received: by 10.36.167.67 with SMTP id s3mr6584109iti.66.1517977436813; Tue, 06 Feb 2018 20:23:56 -0800 (PST)
MIME-Version: 1.0
Received: by 10.79.201.198 with HTTP; Tue, 6 Feb 2018 20:23:56 -0800 (PST)
In-Reply-To: <151797357502.25862.16667889525841537162.idtracker@ietfa.amsl.com>
References: <151797357502.25862.16667889525841537162.idtracker@ietfa.amsl.com>
From: Shumon Huque <shuque@gmail.com>
Date: Tue, 06 Feb 2018 23:23:56 -0500
Message-ID: <CAHPuVdU+_z+rZAR0xphYCt5fhgfOkzjuKi2wPDXs81YY5N8diw@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-tls-dnssec-chain-extension@ietf.org, Joseph Salowey <joe@salowey.net>, tls-chairs@ietf.org, TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f403045fb1c8e60096056497a980"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/afieqanahsKvese7MSVbqu6f08I>
Subject: Re: [TLS] Adam Roach's Yes on draft-ietf-tls-dnssec-chain-extension-06: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2018 04:24:00 -0000
On Tue, Feb 6, 2018 at 10:19 PM, Adam Roach <adam@nostrum.com> wrote: > Adam Roach has entered the following ballot position for > draft-ietf-tls-dnssec-chain-extension-06: Yes > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-tls-dnssec-chain-extension/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I like this mechanism and look forward to its deployment. I have one point > of > clarification and a small handful of editorial comments. > > First, the point of clarification: > > §4: > > > if the server does not recognize the > > provided name and wishes to proceed with the handshake rather than to > > abort the connection, the server uses the domain name associated with > > the server IP address to which the connection has been established. > > Unless I missed something important, this scenario doesn't seem to make > much > sense: if the client provides name A and the server replies with name B, > the > client either (1) isn't performing server name validation (in which case > it is > nonsense for the client to ask for a dnssec_chain), or (2) is going to > error > out the connection. Do I have that right? If there's some situation in > which > the server acting as described above provides some benefit, I would love to > see it described in here. If it's just a matter of having completely > described > behavior for corner cases, it may be worthwhile indicating that the client > will reject the connection if the server decides to complete the handshake > like this. > > ------------------------------------------------------------ > --------------- > > > Intended status: Standards Track R. Barnes > > Expires: July 27, 2018 Mozilla > > s/Mozilla/Cisco/ > > ------------------------------------------------------------ > --------------- > > §1: > > > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > > "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this > > document are to be interpreted as described in [RFC2119]. > > This document has significant usage of these terms in lowercase. Please > consider > using the boilerplate from RFC 8174 instead. > > ------------------------------------------------------------ > --------------- > > §3.3: > > > the case in DANE in which a client either ignores the name in > > certificate (as specified in [RFC7671] or there is no attestation of > > Nit: "...in the certificate..." > > Nit: Add closing paren after [RFC7671] > > ------------------------------------------------------------ > --------------- > > §4: > > > specific processing needed for aliases and wildcards. If DNS > > responses messages contain any domain names utilizing name > > Nit: "response" > > Adam - nits have been noted, and will be fixed. Shumon Huque
- [TLS] Adam Roach's Yes on draft-ietf-tls-dnssec-c… Adam Roach
- Re: [TLS] Adam Roach's Yes on draft-ietf-tls-dnss… Viktor Dukhovni
- Re: [TLS] Adam Roach's Yes on draft-ietf-tls-dnss… Adam Roach
- Re: [TLS] Adam Roach's Yes on draft-ietf-tls-dnss… Shumon Huque
- Re: [TLS] Adam Roach's Yes on draft-ietf-tls-dnss… Shumon Huque