IETF Logo Mail Archive

Re: [TLS] Proposed text for dnsssec chain extension draft

Nico Williams <nico@cryptonector.com> Wed, 25 April 2018 15:08 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73F26124239 for <tls@ietfa.amsl.com>; Wed, 25 Apr 2018 08:08:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.61
X-Spam-Level: *
X-Spam-Status: No, score=1.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_BL=0.01, RCVD_IN_MSPIKE_L4=3.6] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OwuSeteBp9kP for <tls@ietfa.amsl.com>; Wed, 25 Apr 2018 08:08:36 -0700 (PDT)
Received: from homiemail-a54.g.dreamhost.com (homie-sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A0E2124205 for <tls@ietf.org>; Wed, 25 Apr 2018 08:08:36 -0700 (PDT)
Received: from homiemail-a54.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a54.g.dreamhost.com (Postfix) with ESMTP id 428C3480056DB; Wed, 25 Apr 2018 08:08:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=c+C+GB+WczO7jh FygAdx9xC/JWA=; b=BxF8+ZkaFa1X8KCaOV8Jj7H1OonHhjeshsT9cz0nZJPirc 3uXSad5SYoIDQUfHmu3WSfBAx2oIbu8+49E0PiNRIaoOz+DfapXON4AwIgrkrxth arAa7jB7N35wxBHnNaZXSy8BanLpnUqUpzYzaPBoEvRZ7UyscMSzXwNDdifhg=
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a54.g.dreamhost.com (Postfix) with ESMTPSA id D2BC0480056CE; Wed, 25 Apr 2018 08:08:34 -0700 (PDT)
Date: Wed, 25 Apr 2018 09:57:22 -0500
From: Nico Williams <nico@cryptonector.com>
To: Melinda Shore <melinda.shore@nomountain.net>
Cc: tls@ietf.org
Message-ID: <20180425145721.GH25259@localhost>
References: <1D2EB7F1-B796-4459-93C2-443A7104F33A@dukhovni.org> <d5b94d58-e625-9fc0-faae-b202d10620fb@nomountain.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <d5b94d58-e625-9fc0-faae-b202d10620fb@nomountain.net>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rKNbbUh5gpTKjnQCXi8bwdZsiPM>
Subject: Re: [TLS] Proposed text for dnsssec chain extension draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Apr 2018 15:08:37 -0000

On Wed, Apr 25, 2018 at 11:51:58AM +0200, Melinda Shore wrote:
> On 4/25/18 7:33 AM, Viktor Dukhovni wrote:
> > Perhaps a concrete proposal will make it
> > easier to reach a mutually-agreeable consensus position, and make it
> > clear that the requested 16-bits are a reasonable consensus outcome.
> 
> Hi, Viktor:
> 
> This doesn't actually reflect the consensus called by the
> chairs, as I understand what was posted.  It may be useful
> to start work on a new draft describing your proposal.

The chair said there is consensus for (A) with no pinning.  Viktor's
proposal is (A) with no pinning.  It's not at all clear to me that the
two reserved bytes are outside the consensus, and anyways, their cost is
minimal.

However, if you object to turning the extension contents into a struct,
then I would propose a slight tweak to Viktor's proposal:

   Two-byte elements of the AuthenticationChain are reserved for future
   use.  Pending future specifications, clients MUST discard any two-
   byte elements of the AuthenticationChain, and servers MUST NOT send
   any such elements.

We might as well say that all too-small-to-be-DNS-payloads elements of
the AuthenticationChain are reserved and discarded:

   Any elements of the AuthenticationChain that are too small to contain
   DNS RRset payloads are reserved for future use.  Pending future
   specifications, clients MUST discard any such AuthenticationChain
   elements, and servers MUST NOT send any such elements.

The nice thing about this is that it makes it easier to extend this
extension later, while also adding minimal complexity now ("clients MUST
discard such elements").

Nico
--

v2.23.0 | Report a Bug | By Email