[apps-discuss] AppsDir review of draft-ietf-dane-protocol-19
Peter Saint-Andre <stpeter@stpeter.im> Mon, 23 April 2012 21:30 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08B4621E800F; Mon, 23 Apr 2012 14:30:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.609
X-Spam-Level:
X-Spam-Status: No, score=-102.609 tagged_above=-999 required=5 tests=[AWL=-0.010, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hr+HjJNRepJ6; Mon, 23 Apr 2012 14:30:52 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id B11B011E808C; Mon, 23 Apr 2012 14:30:52 -0700 (PDT)
Received: from [64.101.72.115] (unknown [64.101.72.115]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 7825C40058; Mon, 23 Apr 2012 15:45:22 -0600 (MDT)
Message-ID: <4F95CA0B.8050202@stpeter.im>
Date: Mon, 23 Apr 2012 15:30:51 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, dane@ietf.org, iesg@ietf.org
X-Enigmail-Version: 1.4
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: [apps-discuss] AppsDir review of draft-ietf-dane-protocol-19
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2012 21:30:54 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is a supplemental AppsDir review of draft-ietf-dane-protocol (for background on AppsDir, please see <http://trac.tools.ietf.org/area/app/trac/wiki/ApplicationsAreaDirectorate>). Although Murray Kucherawy has already reviewed this I-D on behalf of the AppsDir, folks in the Applications Area realize that wide deployment of the TLSA Resource Record might have a significant impact on applications, so we are performing additional reviews. Please treat these comments just as you would any other Last Call feedback. Document: draft-ietf-dane-protocol Title: "The DNS-Based Authentication of Named Entities (DANE) Protocol for Transport Layer Security (TLS)" Reviewer: Peter Saint-Andre Review Date: 2012-04-23 IETF Last Call Date: 2012-04-25 IESG Telechat: not yet scheduled Summary: This draft is almost ready for publication as an Standards Track RFC but has a few issues that should be fixed before publication. Major Issue: This document does not mention that TLSA records cannot be used directly in application protocols that depend on SRV (or NAPTR or similar technologies). Although I realize that the DANE WG decided, after much discussion, that the interaction between TLSA records and SRV records is out of scope for this specification (and I do not mean to reopen that discussion now), it would be very helpful for this specification to reflect the results of that discussion. Although I make specific suggestions regarding text under the Minor Issues below, in general I think this document needs to be clearer about the assumptions it has made in this regard; in fact, it seems to me that an explicit applicability statement is warranted to avoid confusion of the kind that Dave Cridland experienced (see his Last Call comments). Absent such an applicability statement, it would be good to state up front something that currently is not made explicit until the first sentence of the Security Considerations: The security of the DNS RRtype described in this document relies on the security of DNSSEC as used by the client requesting A/AAAA and TLSA records. The import of "and" in that sentence is significant, and needs to be highlighted earlier in the specification. Minor Issues: 1. In Section 1.2, these sentences might involve a slight oversimplication: A TLS client begins a connection by exchanging messages with a TLS server. It looks up the server's name using the DNS to get an Internet Protocol (IP) address associated with the name. It then begins a connection to a client-chosen port at that address, and sends an initial message there. 1a. The second sentence might be construed as requiring only one step (look up the name, get an IP address), whereas we know that sometimes multiple steps are involved (think SRV). I'd be more comfortable if we added a clause at the end along the lines of "sometimes via multiple steps". 1b. The term "client-chosen port" makes it sound as if the client can choose any port it pleases when connecting to the TLS server. Yet typically the port is derived from a URI, "hardcoded" into the application protocol (sometimes as a fallback), or discovered via the DNS (again, think SRV). We needn't reflect those alternatives in the text, but at the least "appropriate" is better than "client-chosen". 2. In Section 1.3, it is said that "This document only applies to PKIX [RFC5280] certificates, not certificates of other formats." Does this mean that a new RR type would need to be defined to handle other formats (e.g., PGP as in RFC 6091), or only that documents defining how to use TLSA records with those other formats would need to define new values for the Certificate Usage field? Please clarify. 3. In Section 1.3, the following paragraph is true only for application protocols that do not make use of SRV or similar technologies: This document defines a secure method to associate the certificate that is obtained from the TLS server with a domain name using DNS; the DNS information needs to be be protected by DNSSEC. Because the certificate association was retrieved based on a DNS query, the domain name in the query is by definition associated with the certificate. For example, in the case of XMPP the application client might discover through a DNS SRV lookup that the XMPP service for example.com is actually provided at im.example.net. In this case, the domain name in the certificate presented by the TLS server (im.example.net) is not the same as the certificate discovered via the DNS TLSA lookup (example.com), so we can't simply stipulate that "the domain name in the query is by definition associated with the certificate". Here again that applicability statement would be helpful, because this document assumes that you're connecting to the IP address that you discover by means of DNS A/AAAA lookup on the domain name contained in the prefixed DNS domain name defined in Section 3. (As noted, this is made explicit in the first sentence of the Security Considerations.) 4. In Section 2.2, the term "whitespace" is underspecified. Does that include, say, any Unicode space separator (Unicode General Category Zs) or also line separators (Unicode General Category Zl) or only certain code points in the ASCII range? Further, is the whitespace significant in the examples from Section 2.3? 5. To those of us accustomed to SRV records, at first glance the prefixed DNS domain name format defined in Section 3 looks strange: why not _http._tcp.www.example.com instead of _443._tcp.www.example.com? But when we take off our SRV-colored glasses and realize that DANE assumes a DNS A/AAAA lookup on the domain name, it all makes sense. Perhaps it would be helpful to mention the reasoning behind the port number (instead of application name) here? 6. In section 4, no mention is made of the application service that the TLS expects to encounter at the TLS server: The TLS session that is to be set up MUST be for the specific port number and transport name that was given in the TLSA query. Yet surely the application protocol can matter here, no? In particular, given that 443 is the one true port, we know that folks might run non-HTTP applications over that port (for evil reasons, of course). Does DANE elide over the application protocol because we simply assume that the "right" service is being served over any particular port? What about service providers that wish to restrict the usage of a certificate to a particular application service type (cf. RFC 6125)? Or do we assume that it is enough to differentiate among application services based on the underlying transport (as seems to be the case in the text on "Multiple Ports" in Section 5)? IMHO we have a bit of a muddle here. 7. The paragraph about SSL proxies in Section 8 says that "the TLS client will get a certificate association from the DNS that will not match the certificate that the SSL proxy uses with the client"; however, if the SSL proxy is working in concert with an external DNS validator, is it possible to mimic the behavior of current SSL proxies? Nits: 1. In Section 1.1, I suggest changing "using encryption" to "using channel encryption" (since TLS uses connection-oriented encryption methods, not object encryption). 2. Section 1.1, uses the term "subdomain" in the sentence "This prevents an untrustworthy signer from compromising anyone's keys except those in their own subdomains." The term "subdomain" is not always well understood. I suggest explicitly citing Section 3.1 of RFC 1034 here. 3. In Section 1.3, the phrase "the domain name where the data is found" makes it sound as if DANE applies only to application protocols that involve data retrieval, whereas we know it can be used also for technologies that involve communication (email, IM, etc.). I suggest "the domain name for the relevant application service" or somesuch. 4. In Section 1.3, I suggest changing "server" (which might be confused with the TLS server itself) to "service" or "application service" in this sentence: "A DNS query can return multiple certificate associations, such as in the case of a server is changing from one certificate to another." Typo: "have lead" should be "have led". Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+VygoACgkQNL8k5A2w/vxyDwCfTTdHCQ1Vo/gHdumTbLGD8gP+ xJwAn0SQ1CkXK3t/38rWE881tc6ZbySt =ZnZX -----END PGP SIGNATURE-----
- Re: [apps-discuss] [dane] AppsDir review of Martin Rex
- Re: [apps-discuss] [dane] AppsDir review of draft… Mark Andrews
- [apps-discuss] AppsDir review of draft-ietf-dane-… Peter Saint-Andre
- [apps-discuss] AppsDir review of draft-ietf-dane-… Alexey Melnikov
- Re: [apps-discuss] AppsDir review of draft-ietf-d… Alexey Melnikov
- Re: [apps-discuss] AppsDir review of draft-ietf-d… Peter Saint-Andre
- Re: [apps-discuss] [dane] AppsDir review of draft… Paul Hoffman
- Re: [apps-discuss] [dane] AppsDir review of draft… Paul Hoffman
- Re: [apps-discuss] [dane] AppsDir review of draft… Paul Wouters
- Re: [apps-discuss] [dane] AppsDir review of draft… Warren Kumari
- Re: [apps-discuss] [dane] AppsDir review of draft… Alexey Melnikov
- Re: [apps-discuss] [dane] AppsDir review of draft… Paul Hoffman
- Re: [apps-discuss] [dane] AppsDir review of draft… James Cloos
- Re: [apps-discuss] [dane] AppsDir review of draft… Alexey Melnikov
- Re: [apps-discuss] [dane] AppsDir review of draft… Paul Hoffman
- Re: [apps-discuss] [dane] AppsDir review of draft… Paul Hoffman
- Re: [apps-discuss] [dane] AppsDir review of draft… John Gilmore
- Re: [apps-discuss] [dane] AppsDir review of draft… Mark Andrews
- Re: [apps-discuss] [dane] AppsDir review of draft… Patrik Fältström
- Re: [apps-discuss] [dane] AppsDir review of draft… S Moonesamy
- Re: [apps-discuss] [dane] AppsDir review of draft… John Gilmore
- Re: [apps-discuss] [dane] AppsDir review of draft… Peter Saint-Andre
- Re: [apps-discuss] [dane] AppsDir review of draft… Peter Saint-Andre
- Re: [apps-discuss] [dane] AppsDir review of draft… Ned Freed
- Re: [apps-discuss] [dane] AppsDir review of draft… SM
- Re: [apps-discuss] [dane] AppsDir review of draft… James Cloos
- Re: [apps-discuss] [dane] AppsDir review of draft… Tony Finch
- Re: [apps-discuss] [dane] AppsDir review of draft… Martin Rex
- Re: [apps-discuss] [dane] AppsDir review of draft… Peter Saint-Andre
- Re: [apps-discuss] [dane] AppsDir review of draft… Tony Finch
- Re: [apps-discuss] [dane] AppsDir review of draft… Matt Miller
- Re: [apps-discuss] [dane] AppsDir review of draft… Martin Rex
- Re: [apps-discuss] [dane] AppsDir review of draft… Tony Finch
- Re: [apps-discuss] [dane] AppsDir review of draft… Warren Kumari
- Re: [apps-discuss] [dane] AppsDir review of draft… Martin Rex
- Re: [apps-discuss] [dane] AppsDir review of draft… James Cloos
- Re: [apps-discuss] [dane] AppsDir review of draft… Tony Finch
- Re: [apps-discuss] [dane] AppsDir review of draft… Ned Freed
- Re: [apps-discuss] [dane] AppsDir review of draft… James Cloos
- Re: [apps-discuss] [dane] AppsDir review of draft… James Cloos
- Re: [apps-discuss] [dane] AppsDir review of draft… James Cloos
- Re: [apps-discuss] [dane] AppsDir review of draft… Martin Rex
- Re: [apps-discuss] [dane] AppsDir review of draft… Matt Miller
- Re: [apps-discuss] [dane] AppsDir review of draft… Paul Hoffman
- [apps-discuss] Documenting DANE for XMPP (WAS: [d… Matt Miller
- Re: [apps-discuss] [dane] AppsDir review of draft… Dave Cridland
- Re: [apps-discuss] [dane] AppsDir review of draft… Tony Finch
- Re: [apps-discuss] [dane] AppsDir review of draft… Ned Freed
- Re: [apps-discuss] [dane] AppsDir review of draft… Stephen Farrell
- Re: [apps-discuss] [dane] AppsDir review of draft… Ned Freed
- Re: [apps-discuss] [dane] AppsDir review of draft… Stephen Farrell
- Re: [apps-discuss] [dane] AppsDir review of draft… Ned Freed
- Re: [apps-discuss] [dane] AppsDir review of draft… James Cloos
- Re: [apps-discuss] [dane] AppsDir review of draft… Stephen Farrell
- Re: [apps-discuss] [dane] AppsDir review of draft… Tony Finch
- Re: [apps-discuss] [dane] AppsDir review of draft… Ned Freed
- Re: [apps-discuss] [dane] AppsDir review of draft… Peter Saint-Andre
- Re: [apps-discuss] [dane] AppsDir review of draft… Paul Hoffman
- Re: [apps-discuss] [dane] AppsDir review of draft… Peter Saint-Andre
- Re: [apps-discuss] [dane] AppsDir review of draft… Ned Freed
- Re: [apps-discuss] [dane] AppsDir review of draft… Stephen Farrell
- Re: [apps-discuss] [dane] AppsDir review of draft… Jakob Schlyter
- Re: [apps-discuss] [dane] AppsDir review of draft… Mark Andrews
- Re: [apps-discuss] [dane] Documenting DANE for XM… Richard L. Barnes
- Re: [apps-discuss] [dane] Martin Rex
- Re: [apps-discuss] [dane] AppsDir review of draft… Tony Finch
- Re: [apps-discuss] [dane] AppsDir review of draft… Paul Hoffman
- Re: [apps-discuss] [dane] AppsDir review of draft… Tony Finch
- Re: [apps-discuss] [dane] AppsDir review of draft… Peter Saint-Andre
- Re: [apps-discuss] [dane] AppsDir review of draft… Peter Saint-Andre
- Re: [apps-discuss] [dane] AppsDir review of draft… Paul Hoffman
- Re: [apps-discuss] [dane] AppsDir review of draft… Paul Hoffman
- Re: [apps-discuss] [dane] AppsDir review of draft… Ned Freed
- Re: [apps-discuss] [dane] AppsDir review of draft… Ned Freed
- Re: [apps-discuss] [dane] AppsDir review of draft… Tony Finch
- Re: [apps-discuss] [dane] AppsDir review of draft… Tony Finch
- Re: [apps-discuss] [dane] AppsDir review of Mark Andrews
- Re: [apps-discuss] [dane] AppsDir review of Tony Finch
- Re: [apps-discuss] [dane] AppsDir review of draft… Mark Andrews
- Re: [apps-discuss] [dane] AppsDir review of draft… Warren Kumari
- Re: [apps-discuss] [dane] Ned Freed
- Re: [apps-discuss] [dane] Martin Rex
- Re: [apps-discuss] [dane] AppsDir review of Martin Rex
- Re: [apps-discuss] [dane] Ned Freed
- Re: [apps-discuss] [dane] Martin Rex
- Re: [apps-discuss] [dane] AppsDir review of Mark Andrews
- Re: [apps-discuss] [dane] Ned Freed
- [apps-discuss] MX and DANE (Was: [dane] AppsDir r… Ondřej Surý
- [apps-discuss] Client-defined port -> particular … Ondřej Surý
- Re: [apps-discuss] [dane] AppsDir review of draft… Ondřej Surý
- Re: [apps-discuss] [dane] MX and DANE (Was: AppsD… Tony Finch
- Re: [apps-discuss] [dane] MX and DANE (Was: AppsD… Richard L. Barnes
- Re: [apps-discuss] [dane] MX and DANE (Was: AppsD… Ondřej Surý
- Re: [apps-discuss] [dane] AppsDir review of draft… Ondřej Surý
- Re: [apps-discuss] [dane] AppsDir review of Ondřej Surý
- Re: [apps-discuss] [dane] AppsDir review of draft… Peter Saint-Andre
- Re: [apps-discuss] [dane] AppsDir review of draft… Paul Hoffman
- Re: [apps-discuss] [dane] AppsDir review of draft… SM
- Re: [apps-discuss] [dane] AppsDir review of draft… Peter Saint-Andre
- Re: [apps-discuss] [dane] AppsDir review of draft… Andrew Sullivan
- Re: [apps-discuss] [dane] AppsDir review of draft… Paul Hoffman
- Re: [apps-discuss] [dane] AppsDir review of draft… SM
- Re: [apps-discuss] [dane] AppsDir review of draft… Peter Saint-Andre
- Re: [apps-discuss] [dane] MX and DANE (Was: AppsD… Mark Andrews
- Re: [apps-discuss] [dane] AppsDir review of draft… Ned Freed
- Re: [apps-discuss] [dane] AppsDir review of draft… Peter Saint-Andre
- Re: [apps-discuss] [dane] AppsDir review of draft… Paul Hoffman
- Re: [apps-discuss] [dane] AppsDir review of draft… Andrew Sullivan
- Re: [apps-discuss] [dane] MX and DANE (Was: AppsD… Martin Rex
- Re: [apps-discuss] [dane] AppsDir review of draft… Ondřej Surý