IETF Logo Mail Archive

Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension

Jim Fenton <fenton@bluepopcorn.net> Fri, 13 April 2018 19:16 UTC

Return-Path: <fenton@bluepopcorn.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1A2C12785F for <tls@ietfa.amsl.com>; Fri, 13 Apr 2018 12:16:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PSFLKzHp8ato for <tls@ietfa.amsl.com>; Fri, 13 Apr 2018 12:16:50 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAC4112783A for <tls@ietf.org>; Fri, 13 Apr 2018 12:16:50 -0700 (PDT)
Received: from steel.local (sfosf0017s350801.wiline.com [64.71.6.2] (may be forged)) (authenticated bits=0) by v2.bluepopcorn.net (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id w3DJGmQi004777 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <tls@ietf.org>; Fri, 13 Apr 2018 12:16:50 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bluepopcorn.net; s=supersize; t=1523647010; bh=dBHc3khiF0e7YMvWqkXl5Q9W4dQKNjABNZF+1YGTQvY=; h=Subject:To:References:From:Date:In-Reply-To; b=cDaMHOGEL21E7CWJlJBrEEcbNoBiLp+K04RG2kxVhk7frJhwu+G8IidAjSsBxLdob ksiqCIBHxx0iEANbS6rRYLlaNtXt8XfwyvUaCeEG/Wxul81cUY5fyz8wGG+BZqcHMQ VUHq1BrjU8hbosX/6c8ifkcxQXZZXcKe8uf1ClS4=
To: tls@ietf.org
References: <CAOgPGoAhzEtxpW5mzmkf2kv3AcugNy0dAzhvpaqrTSuMSqWqfw@mail.gmail.com>
From: Jim Fenton <fenton@bluepopcorn.net>
Openpgp: preference=signencrypt
Autocrypt: addr=fenton@bluepopcorn.net; prefer-encrypt=mutual; keydata= xsFNBFJNz0MBEADME6UoNSsTvSDJOdzL4yWfH4HTTOOZZPUcM/at38j4joeBb2PdatlwCBtk 9ZjupxFK+Qh5NZC19Oa6CHo0vlqw7V1hx1MUhmSPbzKRcNFhJu0KcQdniI8qmsqoG50IELXN BPI5OEZ3chYHpoXXi2+VCkjXJyeoqRNwNdv6QPGg6O1FMbB+AcIZj3x5U18LnJnXv1i+1vBq CxbMP43VmryPf8BLufcEciXpMEHydHbrEBZb/r7SBkUhdQXjxRNcWOLeYvOVUOOrr1c+jvqm DEbTWUJVRnUro/WpZQBffFnymR0jjkdAa8eOVl/nF2oMLbaBsOMvxCRSSEcGhuqwbEappNVT 1nuBTbkJT/GGcXxc+lEx9uNj86oYC4384VZJMTd1BRI4qPXImNZCIdmpKegK743B6xxN6Qh1 Tg167pn9429JENQE/AFIVX5B/gpsg7Aq+3rmz9H6GbfovPvFV3TBTgsHCHAMC8XU+S4fhcqN PN0lbUeyb7g6wxaE+dYqC7TExx7G3prw4v66y0qS7ow/Cfw8XXOEkaFQ4XwP7nvfILT+9CcU yS8I40vlDFU9Wnt56CbGz0ZVQgHnwyPXL+S9kCcIwRLFx1M79s6T6qwX1TXadfpbi1uIw7XG TiPDT8Pk6i2y22oSSROyYD4D+wOhVkkvO0S8iZ3+LhAYUx86nwARAQABzStrZXliYXNlLmlv L2ppbWZlbnRvbiA8amltZmVudG9uQGtleWJhc2UuaW8+wsF6BBMBCgAkAhsDAwsJBwMVCggC HgECF4ADFgIBAhkBBQJZldiTBQkJKTzQAAoJEBslqLAV0J++/8AP/0T3XoGmX4c12LSjeBeh fAE9gydAHT8ny70yyhcxc/E7deDksmdRW9DBMBdXiN1HSxIJBPsUDl2KXvityxjOAJcorS63 tQ2aE6LcywaguWJ/SswJEWWkCxL3T4VTo5iprGdSW3khj3TmWZjqLGqoTobVDtfjdXeW0193 dnFjzoOA9OHmm7T0ifhRp2fKcQaO2bGtDSFjQYVolGWdNaLZHG7Ayb0HkDGHFGmIqQuiWgZl EGTwSsPY6b2Eov2mB+KN+aqvvrNqOwHHLfyMnuZAt4IUyPkjPGKntRPMAg+5h7JJOwnmlgRZ VW8/W43XWOlqHVjxKD/NKp9TV052opZR/swgLi67LXldBelTRmcc+6B1oXw9KwZ5WInBIVxL tFc5JfevZTHOCaTkUX7ATzygUBkhv6e+nuTCUOygv0gSVSLEeuTh3cJDXvLSjzWIanNqE93I Y859fv7/if5x76ljuynVXBza6yryQCLEYCz0Kj7hIMsRrS7bHTLQicoMlU0ZU9HIZareJGmJ dTspX2is9up+CrTAioYGejoyJJdG2ygaTxJAHhCWXJtMIXptSfFFzZXG+7vPJKFQ3MksD24q gRYII1cJa9Ddj6Wad9ZjR67ntOg87SFloJ+tTqF7mbgHVJZ1feyElU1oYvCxy1kMuE52yxOe lxoV9AvbYOSZfH+7zsFNBFJNz0MBEADBlpdizc7MaWmq9IfcdH0aNLMh4/QSawEKOl8h1ltA HBDdlESIwYic3FX7GR2MsODRy2tbNQJR7emVZ7k0mSmOqb4oxzsYqHJ5YnkxlG1WuHRWkVOq LxTBg9a6YBioTXL9TWZ7/Mel8b0QPB1JioyQ8XvoXLlb6+Fk/YgsppjypZIvIfxM+XmYUYHK l9PxDpS7OVGzZpNuxO0Ff+rAfuDO0xElKNC1ijbQCoKAEEcgD/TFXmoMfsJVjIrI9Di0ktDz /HJPKxRLl97CuPyVmj8b1Jo20LcIS+sljDIDSe9gHr6Ek8yow/+3JFcz/1djeo7hXG5z6bl9 htNlrkZgBk024Hl2+ojVTSwVNYERukB5puoJDjRmcVKP63W0G7B+Ph7L+gnvxZHKDn5VO88p FG5s6ZlyfOPnJ9NLdUbEBlvg2yPVLZ/cos/Rn4K/h23z3cjYlZMKHDuMDWiYXRBNBoGrXjSf Tzg8Wd0Ee52tndzP4A8Lz2KJ7YdDiMZCV1dlecbJIeceUD5ZTJn3CA6mVb0XhD8umzVue6Hl W209Wk1+NfyGJXjxqX5v663id/NcCuKkhFYXdMvvb/omqAQo2FErJGfRLoGJ2J5LIdbOolHd GiL9g1O/JfIuHqLqO0HJvcVueFh//2iWhsOmPQT6RN6YuvCjCt7zmDC6lKmGqXNVJQARAQAB wsFlBBgBAgAPAhsMBQJZldidBQkJKTzaAAoJEBslqLAV0J++ZvIQAMKYNCPNmYQ2Y1JyWeaO k7PohRPkEXphuFxtnJHOiiSSaSMmUB4MaxywOkAJ5vJTu+NllLcL2WjVBqyzhwVtcbVoHHKk +fL5oJ4Mf+Rr/JJa6NO1knFFhnRS9Cfm9DoWU++1w6hTR3xp5FqoRI/y6LTwdMzF+4lkH2EO voGvyJKdt4iK999UFloSWW7OuuVOfylY0vVuvkpE/UGPdty1z+Xr8GvRkoajS9vYLnEPb9CY MWnFitBLGe6xR/2+ysmUeKiS8OYY8c7PalvV0pZ9iqBZTXjSK+z4+Y/Y51LroyR53B3eGOdM HeCoDfd/aPeD960PLkzmVvOzt9jGj8/ggR33SqqAJL95iEAAmWsJCwts2KiN7scdGTUTD9gC LcwbwKDFkSdDMk+nuzRT7rYRPokOAGorb6wknAmbi3RBSH4raBQ11HZ+oOzl16RrEue4AuR8 XJmdH7IPUsMPfA4mwk0PpmDcwKw1U5YCMpDkGL9nhGfyVyccVz8eBa5wDBl04bXhTBY5gGZy begFLusTjnAIXhLR7HfEEI9yPShssw8c4KwkUG0qnHEflwb2W9rsqnVhHD61bjBAE2SX0/pc EyBpZw1gPkRKsD02PZJvebepjW4r/nTfiHOj6yjxiTrgHRmDT3DS9ettiwf15WjfXmdIuWgX 747WdW48X4EpMmWU
Message-ID: <fdb0b404-c0cf-0019-6223-6670e4cb0524@bluepopcorn.net>
Date: Fri, 13 Apr 2018 12:16:43 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <CAOgPGoAhzEtxpW5mzmkf2kv3AcugNy0dAzhvpaqrTSuMSqWqfw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------920FC77BBCD36A3E276EE0CE"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sOhpgqgT4Y3CYShg-6XHbpmCbAw>
Subject: Re: [TLS] Consensus Call on draft-ietf-tls-dnssec-chain-extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2018 19:16:53 -0000

I haven't been following this WG closely but read the draft and
discussion to see what this was all about, so here's an opinion from a
somewhat external reviewer, not in the room in London:

On 4/4/18 10:50 AM, Joseph Salowey wrote:
> Hi Folks,
>
> Some objections were raised late during the review of
> the draft-ietf-tls-dnssec-chain-extension. The question before the
> working group is either to publish the document as is or to bring the
> document back into the working group to address the following issues:
>
> - Recommendation of adding denial of existence proofs in the chain
> provided by the extension
> - Adding signaling to require the use of this extension for a period
> of time (Pinning with TTL)

From reading the abstract and introduction to this draft, it appears to
be proposing mostly a performance improvement for retrieving web pages
using DANE authentication. There is some security improvement, but that
seems to be incidental to the performance improvement. That would argue
in favor of publishing the draft as-is. However:
>
> This is a consensus call on how to progress this document.  Please
> answer the following questions:
>
> 1) Do you support publication of the document as is, leaving these two
> issues to potentially be addressed in follow-up work?
>
> If the answer to 1) is no then please indicate if you think the
> working group should work on the document to include 
>
> A) Recommendation of adding denial of existence proofs in the chain
> provided by the extension

There seems to be some disagreement whether the draft as written allows
inclusion of denial-of-existence proofs. So that's an ambiguity in the
spec, and I support resolving that ambiguity (hopefully in favor of
including them).

> B) Adding signaling to require the use of this extension for a period
> of time (Pinning with TTL)

From the discussion I have read, there seems to be disagreement about
what even the semantics of this pinning would be. And if it's unclear to
the WG participants, it's going to be even less clear to others that are
implementing this. I am also of the opinion that pinning is somewhat
subtle; it requires a detailed understanding of the mechanism to remove
(expire) the pin, and if done wrong can result in availability problems.
In addition, the pins here would be maintained in individual browsers.
There is less benefit from pinning because unlike some other pinning
mechanisms, there isn't any leverage of the TOFU experience had by others.

This requires further thought, and I do not support adding pinning to
this draft. Perhaps as a separate draft, but the WG needs to decide on that.

> C) Both

Summary: (A)

-Jim

v2.23.0 | Report a Bug | By Email