Re: [TLS] Interim notes and draft-ietf-tls-dnssec-chain-extension next steps
Paul Wouters <paul@nohats.ca> Wed, 17 October 2018 05:46 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02FDC130DC5 for <tls@ietfa.amsl.com>; Tue, 16 Oct 2018 22:46:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bj4bNq_SzK40 for <tls@ietfa.amsl.com>; Tue, 16 Oct 2018 22:46:29 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D70181294D0 for <tls@ietf.org>; Tue, 16 Oct 2018 22:46:28 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 42Zh4d2t7Pz1rV; Wed, 17 Oct 2018 07:46:25 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1539755185; bh=75E4ufQq2U4q6f1Kc0KS8vDn3CZKQ2ERyXdUV0RM7fA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=JIUw+AscqDrA5rn9kUq6UUapQQOJ09FeXY50RwbnGzCYJsHLqeg+Z2b1yCxuCICme Eruguw1gXwtrmJMOX+Rfq/J15yUQKjbphwx5XFE+xJci+DUhSSTVa6u+2VwxKtGMVh Aa3i9+yWa0xGJNExEC1yybPyfDGTxPTmOoDKOVDM=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id Pytsn99lDCKA; Wed, 17 Oct 2018 07:46:22 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 17 Oct 2018 07:46:21 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 0D4F42C40EB; Wed, 17 Oct 2018 01:46:21 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 0D4F42C40EB
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 0136141C3B33; Wed, 17 Oct 2018 01:46:20 -0400 (EDT)
Date: Wed, 17 Oct 2018 01:46:20 -0400
From: Paul Wouters <paul@nohats.ca>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
cc: tls@ietf.org
In-Reply-To: <875zy1czbd.fsf@fifthhorseman.net>
Message-ID: <alpine.LRH.2.21.1810170131520.7138@bofh.nohats.ca>
References: <CAO8oSXnv5Gpdw-0c9jXtx1rQqpgwmfrZyiFgHF=Kd5qWZSMPCA@mail.gmail.com> <875zy1czbd.fsf@fifthhorseman.net>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ffP1lNpQwGt-bZm1Xr_5xpCk1U4>
Subject: Re: [TLS] Interim notes and draft-ietf-tls-dnssec-chain-extension next steps
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Oct 2018 05:46:31 -0000
On Tue, 16 Oct 2018, Daniel Kahn Gillmor wrote: > That said, it sounds like negotiating the details of how to do this > pinning is the main blocker, and i'm sick of this proposal being blocked > (because i want it for "greenfield" implementations last year). Imagine how sick I will be when I try to do this later in a separate docment, where the WG might not even accept it as a WG item. I am not confident enough that pinning would be resolved in a later document at all, leaving me with my use case dead in the water forever. So for me it is useful to have the pressure of release for those people who have a greenfield application to want this to happen to push for resolving the downgrade attack. It forces the parties to the table to resolve the conflict. But also, we already had a suggestion on how to postpone the pinning solution to another document, but to do that sanely this document needed some placeholder or else you end up with a pinning extension that pins itself _and_ another extension, or a placeholder for the meaning of a pin, and both situations were deemed worse then just working out everything in one document. So in effect we already tried what you are proposing. Finally, as Viktor said, our discussions offlist an onlist, found other issues. While Viktor and I are happy to write text to fix these other issues in the document, it seems we are currently stuck in a role of spending a lot of effort writing text, only to see no new draft version on even the things everyone agrees on, such as denial of existence. Since Viktor and I put in a lot of effort to write text that isn't being accepted or rejected, we don't feel very motivated to fix all these other things we found. In my opinion, this document needs more active authors proposing and writing text. It seems none of the original authors is willing or able to do this anymore. If nothing has changed at the next IETF, I have planned to propose adding one or two new authors to the document to try and get it unstuck. I also want to note that Ben has done a very admirable job of talking to everyone and moving towards consensus. Paul
- [TLS] Interim notes and draft-ietf-tls-dnssec-cha… Christopher Wood
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Tom Ritter
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Nico Williams
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Daniel Kahn Gillmor
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… John Levine
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Benjamin Kaduk
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Paul Wouters
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Benjamin Kaduk
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Sean Turner
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Viktor Dukhovni
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Eric Rescorla
- Re: [TLS] Interim notes and draft-ietf-tls-dnssec… Benjamin Kaduk