IETF Logo Mail Archive

Re: [Trans] DNS for CT

Ben Laurie <benl@google.com> Wed, 24 February 2016 14:10 UTC

Return-Path: <benl@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E4E31B2F3F for <trans@ietfa.amsl.com>; Wed, 24 Feb 2016 06:10:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.384
X-Spam-Level:
X-Spam-Status: No, score=-1.384 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cx1wT-4liq0E for <trans@ietfa.amsl.com>; Wed, 24 Feb 2016 06:10:27 -0800 (PST)
Received: from mail-io0-x22c.google.com (mail-io0-x22c.google.com [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5A281B2F5B for <trans@ietf.org>; Wed, 24 Feb 2016 06:10:25 -0800 (PST)
Received: by mail-io0-x22c.google.com with SMTP id z135so41052607iof.0 for <trans@ietf.org>; Wed, 24 Feb 2016 06:10:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7DcnV/Rj9N/l2p6k2INX87G+73KtoQoKuYWnqmZWgC0=; b=Oz15ZwXWDnLkhbbcO6TP/TxGZh8TGmHUvGgBpymvYggl0/cB2IWEDgo+Yl3mcdW9iW 6nW3tTidnJJpSxXHCg0+Nb6c0IddMcvdMe0MzNcPXcHgjMdW8bsLzyA0Cf9vQjGkJSFZ 98fdtrdu2DKAaOGL1I9op69qLD5uGL4aV9vrDw/9CSmENoKwq/kU8ARlpG/bt3jgjM2K wEXhzRbSIQndx09uWrGoKnS/qqO03aMJNwxLgSf7iZC/6zoD8vrlF16wNIcbq4w0ROeq C7YdV3JR6/TnaGfM0EZVQcYF39a1/NzMKP/cAaJa1EodDPZMm38dWl2k+pL9UTlDt9m3 XaZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=7DcnV/Rj9N/l2p6k2INX87G+73KtoQoKuYWnqmZWgC0=; b=jA6Vn3A9+SaBP1o5a9hlrg2/shs7KH0UOzQnghO99sfx0e5oAFE5id93xX/SU4p/5i D2fJZKQOZHx/670pgc15q+m4o/fgs5Vact1pfa2nUzjVJ9fVX/gS1tnOADIWxDo7bgPA jfoaBkvOBRwdp8IRAv5IlQLZVLtt3E7q57S4n5aAT9WHoB1wENWMi0U5uq2EoWfjrkZ+ niHLpFpvy3FAWKRPTC7P19tdFOI3X6nqg8Gs95utU6lftg+4j51JNz17I2/Rj2sIB2VI 1yag5MC4c7FyXJylRzFDJuRPe7Qy5QxIMrele6hG0yXmBEpc/FOKs7zk/THtfA+yDdEH 9xKg==
X-Gm-Message-State: AG10YOQRduER5tnUHfiFGnpDx0sjhGsMaeJkSjg0Crc57Gp3rYYhF/EddLQ5B9s3JlLhzw52kflTgTsfQeC4Dy+Z
MIME-Version: 1.0
X-Received: by 10.107.16.17 with SMTP id y17mr45636105ioi.119.1456323025057; Wed, 24 Feb 2016 06:10:25 -0800 (PST)
Received: by 10.64.26.98 with HTTP; Wed, 24 Feb 2016 06:10:24 -0800 (PST)
In-Reply-To: <CABrd9SRNGxLJN5g0769gfjUmM-AJFGHpUhrgCZ03dtun9zzxOw@mail.gmail.com>
References: <CABrd9SQs77jBeTf7Z-M0b9zbKG6=L3Ho020FvNDE5SNRyk=Tig@mail.gmail.com> <34C51BE8-D9CF-4455-A89E-BCCD29DCDEB6@vpnc.org> <CABrd9SRNGxLJN5g0769gfjUmM-AJFGHpUhrgCZ03dtun9zzxOw@mail.gmail.com>
Date: Wed, 24 Feb 2016 14:10:24 +0000
Message-ID: <CABrd9SQY90vKZO=XrpZc5FVO9CgDD73WFffcWjgLyX1aXN63Jw@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: multipart/alternative; boundary="001a113ff3289692cc052c84a086"
Archived-At: <http://mailarchive.ietf.org/arch/msg/trans/MNUvj2pCigWp4r2_pmZUoJUbk1E>
Cc: Pierre Phaneuf <pphaneuf@google.com>, "trans@ietf.org" <trans@ietf.org>, "certificate-transparency@googlegroups.com" <certificate-transparency@googlegroups.com>
Subject: Re: [Trans] DNS for CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2016 14:10:33 -0000

All these should be fixed now.

On 24 February 2016 at 05:06, Ben Laurie <benl@google.com> wrote:

>
>
> On 24 February 2016 at 00:12, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
>
>> On 23 Feb 2016, at 8:00, Ben Laurie wrote:
>>
>> As we've mentioned several times, we've been working on a way to retrieve
>>> CT data over DNS to improve the privacy properties of inclusion proofs.
>>>
>>
>> This is a good idea, and the motivation mentioned in the not-yet-a-draft
>> is good. However, I have some questions about the protocol that you show.
>>
>>
>>> https://github.com/google/certificate-transparency-rfcs/blob/master/dns/draft-ct-over-dns.md
>>>
>>
>> 1) Why do you create a new Opcode for the header? These are kind of
>> precious values. You are already using prefixes on the QNAME for STH
>> queries; you could easily do so for the others as well.
>>
>
> I don't think that was intentional - we're not actually using a different
> opcode!
>
>
>>
>> 2) Standard practice these days is to have prefixed labels start with an
>> underscore (_).
>>
>
> You mean like in SRV records? It wasn't particularly intended that these
> would be on a domain used for anything other than CT... but no particular
> objection, either.
>
>
>>
>> 3) In the STH Query example, the Question section in the response is
>> different than the Question section in the request. I hope this is a typo,
>> given that RFC 1034 says that the two must be the same.
>>
>
> It is.
>
>
>>
>> 4) If you sure that the RData values for the responses are less than 256
>> characters, that's fine; if they can be longer than that, you should
>> probably add a note about the TXT records having more than one
>> character-data string.
>
>
> We were trying to avoid that happening...
>
>

v2.23.0 | Report a Bug | By Email