Re: [TLS] Interim notes and draft-ietf-tls-dnssec-chain-extension next steps

Paul Wouters <paul@nohats.ca> Wed, 17 October 2018 05:46 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02FDC130DC5 for <tls@ietfa.amsl.com>; Tue, 16 Oct 2018 22:46:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bj4bNq_SzK40 for <tls@ietfa.amsl.com>; Tue, 16 Oct 2018 22:46:29 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D70181294D0 for <tls@ietf.org>; Tue, 16 Oct 2018 22:46:28 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 42Zh4d2t7Pz1rV; Wed, 17 Oct 2018 07:46:25 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1539755185; bh=75E4ufQq2U4q6f1Kc0KS8vDn3CZKQ2ERyXdUV0RM7fA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=JIUw+AscqDrA5rn9kUq6UUapQQOJ09FeXY50RwbnGzCYJsHLqeg+Z2b1yCxuCICme Eruguw1gXwtrmJMOX+Rfq/J15yUQKjbphwx5XFE+xJci+DUhSSTVa6u+2VwxKtGMVh Aa3i9+yWa0xGJNExEC1yybPyfDGTxPTmOoDKOVDM=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id Pytsn99lDCKA; Wed, 17 Oct 2018 07:46:22 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 17 Oct 2018 07:46:21 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 0D4F42C40EB; Wed, 17 Oct 2018 01:46:21 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 0D4F42C40EB
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 0136141C3B33; Wed, 17 Oct 2018 01:46:20 -0400 (EDT)
Date: Wed, 17 Oct 2018 01:46:20 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
cc: tls@ietf.org
In-Reply-To: <875zy1czbd.fsf@fifthhorseman.net>
Message-ID: <alpine.LRH.2.21.1810170131520.7138@bofh.nohats.ca>
References: <CAO8oSXnv5Gpdw-0c9jXtx1rQqpgwmfrZyiFgHF=Kd5qWZSMPCA@mail.gmail.com> <875zy1czbd.fsf@fifthhorseman.net>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ffP1lNpQwGt-bZm1Xr_5xpCk1U4>
Subject: Re: [TLS] Interim notes and draft-ietf-tls-dnssec-chain-extension next steps
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Oct 2018 05:46:31 -0000

On Tue, 16 Oct 2018, Daniel Kahn Gillmor wrote:

> That said, it sounds like negotiating the details of how to do this
> pinning is the main blocker, and i'm sick of this proposal being blocked
> (because i want it for "greenfield" implementations last year).

Imagine how sick I will be when I try to do this later in a separate
docment, where the WG might not even accept it as a WG item. I am not
confident enough that pinning would be resolved in a later document at
all, leaving me with my use case dead in the water forever.

So for me it is useful to have the pressure of release for those people
who have a greenfield application to want this to happen to push for
resolving the downgrade attack. It forces the parties to the table to
resolve the conflict. But also, we already had a suggestion on how
to postpone the pinning solution to another document, but to do that
sanely this document needed some placeholder or else you end up with
a pinning extension that pins itself _and_ another extension, or a
placeholder for the meaning of a pin, and both situations were deemed
worse then just working out everything in one document. So in effect
we already tried what you are proposing.

Finally, as Viktor said, our discussions offlist an onlist, found
other issues. While Viktor and I are happy to write text to fix these
other issues in the document, it seems we are currently stuck in a
role of spending a lot of effort writing text, only to see no new
draft version on even the things everyone agrees on, such as denial
of existence. Since Viktor and I put in a lot of effort to write text
that isn't being accepted or rejected, we don't feel very motivated
to fix all these other things we found.

In my opinion, this document needs more active authors proposing and
writing text. It seems none of the original authors is willing or
able to do this anymore. If nothing has changed at the next IETF, I
have planned to propose adding one or two new authors to the document
to try and get it unstuck.

I also want to note that Ben has done a very admirable job of talking
to everyone and moving towards consensus.

Paul