Re: [TLS] WGLC: draft-ietf-tls-dnssec-chain-extension-04

Shumon Huque <shuque@gmail.com> Sat, 08 July 2017 01:03 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E094F12EC33 for <tls@ietfa.amsl.com>; Fri, 7 Jul 2017 18:03:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R5lA3hFIoAFn for <tls@ietfa.amsl.com>; Fri, 7 Jul 2017 18:03:05 -0700 (PDT)
Received: from mail-ua0-x22b.google.com (mail-ua0-x22b.google.com [IPv6:2607:f8b0:400c:c08::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11391127F0E for <tls@ietf.org>; Fri, 7 Jul 2017 18:03:05 -0700 (PDT)
Received: by mail-ua0-x22b.google.com with SMTP id w19so29509911uac.0 for <tls@ietf.org>; Fri, 07 Jul 2017 18:03:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=yRzmZm3W8cWzlFBjedQBEpHRPZd5Gp8R4t1XINnvp0c=; b=mqaGGqnFyZ0keKqTaO3bkFJjJEc4pqruYKLZ4Mxc14NptSJVB1EqT2gU5Xbc3u3wuo 19YtJPseTXsE29X83wuPR7ndvI0RPS0cc14dXPMHsi/Q0f6DaEuuXV4tRl/Y48PwbMMT pAKg6eLWIzhfHe4TXvDxbiGkzjsKsOqHaAcxpvsi2BbdNcV9hHKV7lFyN5Yg+M3354A3 46E0lxw1Je2elDHQxk6+1+hcq8N4t9gemn3NAgaitmDB1pOSWXJcRAekk8zXFFe4/DFF 96sXPbFYRIOpPQKI4gjFIRunZ9xX1m4i47q0/fxPuaU28G2yi3/bdiF1uBRiY9e7eoXl QjWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=yRzmZm3W8cWzlFBjedQBEpHRPZd5Gp8R4t1XINnvp0c=; b=ataSgDVqVcxnLlONwKO4ufsdzsVCZ97vYsngriTQJEqRDbG+hpMi6VXJt9c9PbF/4S rW3S3Az0ZR428hRYsJTrA+69rZpbn6AWIgjBo30A+2AjhV/DJ4QPqD8RE2d2rJrPbkTP 0CvPBkT3UhHzeLNF2d/ncW7rU+qzViBJ5EANlSUwNTwZ0pwHLvC6qMOy3uLIXa8Xd7h4 gfteszwlUsFhq2OqMRi+Wsb6vY8WmS60mBPMUwTLm9ELe8+J/ELmkSdikgXG+xs7vMDJ ysUp19jicBsMBRN50F2dv9zF1DLpB5N47KLSgXOIrPSdSA+EvFLPhUik53yw0F2oe4RH cUpw==
X-Gm-Message-State: AIVw113GgEf3BllNe6Z4KzYTtj4+qXTErHO1K7xdV4NRqmfZ3iH968Qc yBcl/Q1hrcNmA9SM7xoQv4fm+2H/l3Wp
X-Received: by 10.159.51.97 with SMTP id a33mr2486337uac.44.1499475784099; Fri, 07 Jul 2017 18:03:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.79.231 with HTTP; Fri, 7 Jul 2017 18:03:03 -0700 (PDT)
In-Reply-To: <20170707230505.GB1755@mournblade.imrryr.org>
References: <765945B5-B686-45EB-84AE-38731C3006D6@rfc1035.com> <20170705171211.GM5673@mournblade.imrryr.org> <1F943876-91FC-4529-9B44-9F187EDA48B5@rfc1035.com> <CAHPuVdVbLw+vw4pzHNeBJK_gnqWntEfCgqo-DPQcdcmwXRV00A@mail.gmail.com> <20170707230505.GB1755@mournblade.imrryr.org>
From: Shumon Huque <shuque@gmail.com>
Date: Fri, 07 Jul 2017 21:03:03 -0400
Message-ID: <CAHPuVdXqw0M3eAbGY5g_69HrqHLUifqPw+xP=zUNQM1XzDxYsw@mail.gmail.com>
To: TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f403043ebcac75ecb50553c3e986"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vRNPVeiQ8zUH_YCwK7Mn9VwOZxk>
Subject: Re: [TLS] WGLC: draft-ietf-tls-dnssec-chain-extension-04
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jul 2017 01:03:07 -0000

On Fri, Jul 7, 2017 at 7:05 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

>
> Once the client obtains a validated TLSA RRset for the service
> endpoint, it may (up to the TTLs of the provided records, validated
> to conform to the max ttl of the RRSIGs and not exceed the RRSIG
> expiration) simply not omit the extension in subsequent requests,
> and validate the server certificate per the cached TLSA RRs.
>

( assumed typo: s/not omit/omit/ )

This is quite a reasonable and simple optimization, and I think we should
document it in the draft. It may often be short circuited by TLS session
resumption, but it's so simple that it's probably worth doing.

Thanks!
--
Shumon Huque