Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-11-13 Thread Tim Wicinski 


All,

The WGLC has finished, and it appears to be rough consensus on moving 
forward.  I want to touch base with my co-chair and AD on one issue, but 
I will work on the Shepherd write up over the next few days and submit 
it into the pipeline. I plan on mentioning the issues raised about 
waiting for other documents before moving forward in my shepherd notes.


tim


On 10/22/15 2:23 AM, Warren Kumari wrote:

Dear DPRIVE WG,

The authors of draft-ietf-dprive-dns-over-tls-01 have indicated that
they believe that the document is ready, and have asked for Working
Group Last Call.

The draft is available here:
https://datatracker.ietf.org/doc/draft-ietf-dprive-dns-over-tls-01/

Please review this draft to see if you think it is ready for
publication and send comments to the DPRIVE list, clearly stating your
view.

We have chosen to run this WGLC during the IETF meeting, and have it
end after the meeting. This will allow us use meeting time to discuss
contentious WGLC issues (if any).
This will be a 3 week WGLC, and ends Thu 12-Nov-2015.


To satisfy RFC 6702 ("Promoting Compliance with Intellectual Property
Rights (IPR)"):
Are you personally aware of any IPR that applies to
draft-ietf-dprive-dns-over-tls-01?  If so, has this IPR been disclosed
in compliance with IETF IPR rules? (See RFCs 3979, 4879, 3669, and
5378 for more details.)

Thanks,
Warren Kumari
(as DPRIVE WG co-chair)




___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-11-13 Thread Tim Wicinski 



On 11/13/15 8:22 AM, Paul Hoffman wrote:



Just to be clear: do the chairs read the rough consensus to be that the
draft needs to remove Sections 3.2 and all of Section 4, and move them
to a new document?

--Paul Hoffman


Yes, I do (once I remembered).  I am circling back with the others,  but 
I believe this is the case.


I'm also waiting for the -02 before actioning.

tim

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-11-13 Thread Paul Hoffman 

On 13 Nov 2015, at 3:31, Tim Wicinski wrote:

The WGLC has finished, and it appears to be rough consensus on moving 
forward.  I want to touch base with my co-chair and AD on one issue, 
but I will work on the Shepherd write up over the next few days and 
submit it into the pipeline. I plan on mentioning the issues raised 
about waiting for other documents before moving forward in my shepherd 
notes.


Just to be clear: do the chairs read the rough consensus to be that the 
draft needs to remove Sections 3.2 and all of Section 4, and move them 
to a new document?


--Paul Hoffman

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-11-13 Thread Sara Dickinson 

> On 13 Nov 2015, at 16:39, Paul Hoffman  wrote:
> 
> On 13 Nov 2015, at 8:28, Tim Wicinski wrote:
> 
>> On 11/13/15 8:22 AM, Paul Hoffman wrote:
>> 
>>> 
>>> Just to be clear: do the chairs read the rough consensus to be that the
>>> draft needs to remove Sections 3.2 and all of Section 4, and move them
>>> to a new document?
>>> 
>>> --Paul Hoffman
>> 
>> Yes, I do (once I remembered).  I am circling back with the others,  but I 
>> believe this is the case.


Ah, this isn’t my recollection. The proposed changes were much smaller, the 
order of a few sentences in section 4.2 just to update the authentication 
profile. The plan for the follow up document was to extend the authentication 
profiles not completely replace them (and the reference would not normative). 

Sara. 


___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-11-13 Thread Warren Kumari 
Doh. Messages passed in the ether.

W

On Sat, Nov 14, 2015 at 2:48 AM, Paul Hoffman  wrote:
> Whoops, Sara is right and I was wrong. What the WG agreed to was in the
> slides in Yokohama:
>
> =
> Explicitly state that an upcoming document will define further
> authentication profiles
>   Draft in development, will be submitted ASAP
>
> This draft will document Opportunistic and briefly cite the risk-benefit for
> it
>
> This draft will provide a brief sketch of authentication in the case where
> there is a two-way active relationship between the client and the server
> (e.g. enterprise)
> =
>
> Unlike what I said a bit ago, we obviously can't pull out the current
> security requirements and point to a future document: that will never fly
> with the IESG (and nor should it).
>
> --Paul Hoffman
>
>
> ___
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-11-13 Thread Paul Hoffman 
Whoops, Sara is right and I was wrong. What the WG agreed to was in the 
slides in Yokohama:


=
Explicitly state that an upcoming document will define further 
authentication profiles

  Draft in development, will be submitted ASAP

This draft will document Opportunistic and briefly cite the risk-benefit 
for it


This draft will provide a brief sketch of authentication in the case 
where there is a two-way active relationship between the client and the 
server (e.g. enterprise)

=

Unlike what I said a bit ago, we obviously can't pull out the current 
security requirements and point to a future document: that will never 
fly with the IESG (and nor should it).


--Paul Hoffman

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-11-12 Thread Tim Wicinski 


(as chair)

I don't see the point in holding up this document for the other DTLS 
document(s).   Using the "running code" practice, there is code out here 
which supports dns-over-tls.   The authors of dns-over-dtls do not have 
a plan to implement any solutions at this time.  However, as chair, I've 
reached out and I do believe some of the folks who have implemented the 
current dns-over-tls solution work on a proof of concept of dns-over-dtls.


I'll chat with Warren about this, but I don't see the reasons to hold 
this one for now.


tim

On 11/9/15 11:32 AM, Simon Josefsson wrote:

"Mankin, Allison" <aman...@verisign.com> writes:


My two cents is that the authentication profile for TLS and DTLS
should not be the same as a draft with flows.

I reviewed the flows draft before it was submitted (and thank the
authors for responding to initial comments).  Unsurprisingly, the
flows draft is almost entirely made up of flows.  I estimate that many
will have to change in response to DPRIVE WG review/discussion of the
DTLS fragmentation scheme; also, some of them may need to change based
on what is finalized for 1.3 in the TLS WG.  In keeping with other
precedents at IETF, I’d see the flows draft as an informational
document to help implementors/deployers.


I don't think this WG should wait for completion of TLS 1.3.  If you
write drafts the right way, I don't see anything that needs to be
changed moving from TLS 1.2 to TLS 1.3.  Or are you thinking of
mandating TLS >= 1.3 for dprive?

I believe the dprive documents are in reasonable shape, and the only
worrying concern is that the (D)TLS-considerations ought to be
synchronized between DoDTLS and DoTLS.  It appears there is already work
towards fixing that, and once that document is available, there could be
a WG last call on all three documents.  I don't see anything that would
prevent this from happening during the next 0-3 months process-wise.  I
believe that TLS 1.3 will not be finalized within that time-frame.

/Simon



The authentication profile for TLS/DTLS is something we can pull
together now, with some work by the WG, and I’d expect it to be
standards track.  I would not want to delay it for finishing the
detailed engineering on the DTLS draft.

Bottom line: I very much support Sara’s offer to start a stand-alone
document for the authentication profile.  Speaking for the TLS
authors, we’ll be happy to add language pointing ahead to an
authentication profile external to our draft.

Allison

.



On Oct 27, 2015, at 11:12 AM, Tirumaleswar Reddy (tireddy) <tire...@cisco.com> 
wrote:



From: Sara Dickinson [mailto:s...@sinodun.com <mailto:s...@sinodun.com>]
Sent: Tuesday, October 27, 2015 7:34 PM
To: Tirumaleswar Reddy (tireddy)
Cc: dns-privacy@ietf.org <mailto:dns-privacy@ietf.org>
Subject: Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01


On 27 Oct 2015, at 12:31, Tirumaleswar Reddy (tireddy)
<tire...@cisco.com <mailto:tire...@cisco.com>> wrote:


I’m saying I think creating a separate document that specifically
covers authentication for both TLS and DTLS makes most sense to me
and will be clearer for consumers of the documents.

[TR] We can move this Section to
https://tools.ietf.org/html/draft-wing-dprive-profile-and-msg-flows-00
<https://tools.ietf.org/html/draft-wing-dprive-profile-and-msg-flows-00>
and that will take care both (D)TLS profile for DNS privacy and
authenticating the server.

I guess this is a decision for the working group since the DTLS
draft is adopted, but the above document isn’t.

[TR] Yes, of course; will do that only after WG feedback and adoption of the 
draft.

-Tiru

Sara.
___
dns-privacy mailing list
dns-privacy@ietf.org <mailto:dns-privacy@ietf.org>
https://www.ietf.org/mailman/listinfo/dns-privacy
<https://www.ietf.org/mailman/listinfo/dns-privacy>

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy



___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy


___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-11-09 Thread Tirumaleswar Reddy (tireddy) 
> -Original Message-
> From: Simon Josefsson [mailto:si...@josefsson.org]
> Sent: Tuesday, November 10, 2015 1:02 AM
> To: Mankin, Allison
> Cc: Tirumaleswar Reddy (tireddy); Sara Dickinson; dns-privacy@ietf.org
> Subject: Re: Start of WGLC for draft-ietf-dprive-dns-over-tls-01
> 
> "Mankin, Allison" <aman...@verisign.com> writes:
> 
> > My two cents is that the authentication profile for TLS and DTLS
> > should not be the same as a draft with flows.
> >
> > I reviewed the flows draft before it was submitted (and thank the
> > authors for responding to initial comments).  Unsurprisingly, the
> > flows draft is almost entirely made up of flows.  I estimate that many
> > will have to change in response to DPRIVE WG review/discussion of the
> > DTLS fragmentation scheme; also, some of them may need to change based
> > on what is finalized for 1.3 in the TLS WG.  In keeping with other
> > precedents at IETF, I’d see the flows draft as an informational
> > document to help implementors/deployers.
> 
> I don't think this WG should wait for completion of TLS 1.3.  If you write
> drafts the right way, I don't see anything that needs to be changed moving
> from TLS 1.2 to TLS 1.3.  Or are you thinking of mandating TLS >= 1.3 for
> dprive?

No. The proposal is to split draft-wing-dprive-profile-and-msg-flows-00, (D)TLS 
1.2 profile for providing DNS privacy and authentication of the DNS server will 
be discussed in one draft. We plan to publish this draft in couple of weeks.
draft-wing-dprive-profile-and-msg-flows-00 will be made informational and only 
discuss message flows for DNS-over-(D)TLS and also include message flows with 
TLS 1.3, will keep updating draft-wing-dprive-profile-and-msg-flows draft as 
TLS 1.3 work progresses and it can be considered for publication after TLS 1.3 
work is finalized. 

-Tiru

> 
> I believe the dprive documents are in reasonable shape, and the only
> worrying concern is that the (D)TLS-considerations ought to be synchronized
> between DoDTLS and DoTLS.  It appears there is already work towards fixing
> that, and once that document is available, there could be a WG last call on 
> all
> three documents.  I don't see anything that would prevent this from
> happening during the next 0-3 months process-wise.  I believe that TLS 1.3
> will not be finalized within that time-frame.
> 
> /Simon
> 
> >
> > The authentication profile for TLS/DTLS is something we can pull
> > together now, with some work by the WG, and I’d expect it to be
> > standards track.  I would not want to delay it for finishing the
> > detailed engineering on the DTLS draft.
> >
> > Bottom line: I very much support Sara’s offer to start a stand-alone
> > document for the authentication profile.  Speaking for the TLS
> > authors, we’ll be happy to add language pointing ahead to an
> > authentication profile external to our draft.
> >
> > Allison
> >
> > .
> >
> >
> >> On Oct 27, 2015, at 11:12 AM, Tirumaleswar Reddy (tireddy)
> <tire...@cisco.com> wrote:
> >>
> >>
> >>
> >> From: Sara Dickinson [mailto:s...@sinodun.com
> >> <mailto:s...@sinodun.com>]
> >> Sent: Tuesday, October 27, 2015 7:34 PM
> >> To: Tirumaleswar Reddy (tireddy)
> >> Cc: dns-privacy@ietf.org <mailto:dns-privacy@ietf.org>
> >> Subject: Re: [dns-privacy] Start of WGLC for
> >> draft-ietf-dprive-dns-over-tls-01
> >>
> >>
> >> On 27 Oct 2015, at 12:31, Tirumaleswar Reddy (tireddy)
> >> <tire...@cisco.com <mailto:tire...@cisco.com>> wrote:
> >>
> >>
> >> I’m saying I think creating a separate document that specifically
> >> covers authentication for both TLS and DTLS makes most sense to me
> >> and will be clearer for consumers of the documents.
> >>
> >> [TR] We can move this Section to
> >> https://tools.ietf.org/html/draft-wing-dprive-profile-and-msg-flows-0
> >> 0
> >> <https://tools.ietf.org/html/draft-wing-dprive-profile-and-msg-flows-
> >> 00> and that will take care both (D)TLS profile for DNS privacy and
> >> authenticating the server.
> >>
> >> I guess this is a decision for the working group since the DTLS draft
> >> is adopted, but the above document isn’t.
> >>
> >> [TR] Yes, of course; will do that only after WG feedback and adoption of
> the draft.
> >>
> >> -Tiru
> >>
> >> Sara.
> >> ___
> >> dns-privacy mailing list
> >> dns-privacy@ietf.org <mailto:dns-privacy@ietf.org>
> >> https://www.ietf.org/mailman/listinfo/dns-privacy
> >> <https://www.ietf.org/mailman/listinfo/dns-privacy>
> > ___
> > dns-privacy mailing list
> > dns-privacy@ietf.org
> > https://www.ietf.org/mailman/listinfo/dns-privacy
> >
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-11-09 Thread Simon Josefsson 
"Mankin, Allison" <aman...@verisign.com> writes:

> My two cents is that the authentication profile for TLS and DTLS
> should not be the same as a draft with flows.
>
> I reviewed the flows draft before it was submitted (and thank the
> authors for responding to initial comments).  Unsurprisingly, the
> flows draft is almost entirely made up of flows.  I estimate that many
> will have to change in response to DPRIVE WG review/discussion of the
> DTLS fragmentation scheme; also, some of them may need to change based
> on what is finalized for 1.3 in the TLS WG.  In keeping with other
> precedents at IETF, I’d see the flows draft as an informational
> document to help implementors/deployers.

I don't think this WG should wait for completion of TLS 1.3.  If you
write drafts the right way, I don't see anything that needs to be
changed moving from TLS 1.2 to TLS 1.3.  Or are you thinking of
mandating TLS >= 1.3 for dprive?

I believe the dprive documents are in reasonable shape, and the only
worrying concern is that the (D)TLS-considerations ought to be
synchronized between DoDTLS and DoTLS.  It appears there is already work
towards fixing that, and once that document is available, there could be
a WG last call on all three documents.  I don't see anything that would
prevent this from happening during the next 0-3 months process-wise.  I
believe that TLS 1.3 will not be finalized within that time-frame.

/Simon

>
> The authentication profile for TLS/DTLS is something we can pull
> together now, with some work by the WG, and I’d expect it to be
> standards track.  I would not want to delay it for finishing the
> detailed engineering on the DTLS draft.
>
> Bottom line: I very much support Sara’s offer to start a stand-alone
> document for the authentication profile.  Speaking for the TLS
> authors, we’ll be happy to add language pointing ahead to an
> authentication profile external to our draft.
>
> Allison
>
> .
>
>
>> On Oct 27, 2015, at 11:12 AM, Tirumaleswar Reddy (tireddy) 
>> <tire...@cisco.com> wrote:
>> 
>>  
>>  
>> From: Sara Dickinson [mailto:s...@sinodun.com <mailto:s...@sinodun.com>] 
>> Sent: Tuesday, October 27, 2015 7:34 PM
>> To: Tirumaleswar Reddy (tireddy)
>> Cc: dns-privacy@ietf.org <mailto:dns-privacy@ietf.org>
>> Subject: Re: [dns-privacy] Start of WGLC for 
>> draft-ietf-dprive-dns-over-tls-01
>>  
>>  
>> On 27 Oct 2015, at 12:31, Tirumaleswar Reddy (tireddy)
>> <tire...@cisco.com <mailto:tire...@cisco.com>> wrote:
>> 
>> 
>> I’m saying I think creating a separate document that specifically
>> covers authentication for both TLS and DTLS makes most sense to me
>> and will be clearer for consumers of the documents.
>>  
>> [TR] We can move this Section to
>> https://tools.ietf.org/html/draft-wing-dprive-profile-and-msg-flows-00
>> <https://tools.ietf.org/html/draft-wing-dprive-profile-and-msg-flows-00>
>> and that will take care both (D)TLS profile for DNS privacy and
>> authenticating the server.
>>  
>> I guess this is a decision for the working group since the DTLS
>> draft is adopted, but the above document isn’t.
>>  
>> [TR] Yes, of course; will do that only after WG feedback and adoption of the 
>> draft.
>>  
>> -Tiru
>>  
>> Sara. 
>> ___
>> dns-privacy mailing list
>> dns-privacy@ietf.org <mailto:dns-privacy@ietf.org>
>> https://www.ietf.org/mailman/listinfo/dns-privacy
>> <https://www.ietf.org/mailman/listinfo/dns-privacy>
> ___
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>


signature.asc
Description: PGP signature
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-29 Thread Stephane Bortzmeyer 
On Thu, Oct 22, 2015 at 10:23:02AM +0100,
 Warren Kumari  wrote 
 a message of 43 lines which said:

> The authors of draft-ietf-dprive-dns-over-tls-01 have indicated that
> they believe that the document is ready, and have asked for Working
> Group Last Call.

I'm one of the several persons who believe that we should delay WG
approval a bit to align DNS-over-TLS and DNS-over-DTLS, specially the
server authentication part (-01 does not even mention which field in
the cert to check).

For draft-ietf-dprive-dns-over-tls-01, I have the following remarks:

Abstract: "eliminates opportunties for eavesdropping". "Eliminates"
seem too strong. For instance, section 9, paragraph 4 explains you can
still get information by eavesdropping.

Section 3.3: the text in the last paragraph is now a bit different
from the one I-D.ietf-dnsop-5966bis. May be copy-and-paste the text
from 5966bis?


___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-29 Thread Mankin, Allison 
Hi Stephane,

What do you think of the idea of a separated out TLS and DTLS authentication 
draft that applies to both? There's a move afoot to submit one as soon as the 
draft window opens.

We will improve the authentication section in the TLS draft per your point 
below and/or thru pointing to the new draft.

There's something elusive about our attempts to get an exact match of language 
between 5966bis and the TLS draft - the authors overlap but we keep missing 
anyway. Thanks for observing* the current mismatch. We will align. 

Allison

[*] I hope the problem isn't Heisenberg uncertainty ;-)



Sent from my iPhone

> On Oct 29, 2015, at 12:04, Stephane Bortzmeyer  wrote:
> 
> I'm one of the several persons who believe that we should delay WG
> approval a bit to align DNS-over-TLS and DNS-over-DTLS, specially the
> server authentication part (-01 does not even mention which field in
> the cert to check).

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-27 Thread Tirumaleswar Reddy (tireddy) 
> -Original Message-
> From: dns-privacy [mailto:dns-privacy-boun...@ietf.org] On Behalf Of sara
> Sent: Tuesday, October 27, 2015 3:22 PM
> To: 神明達哉
> Cc: Simon Josefsson; Paul Hoffman; dns-privacy@ietf.org
> Subject: Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01
> 
> 
> > On 26 Oct 2015, at 17:26, 神明達哉 <jin...@wide.ad.jp> wrote:
> >
> >  IIRC when we
> > adopted DNS/TLS from several candidates the decision was to focus on
> > this particular solution while allowing flexibility of discussions
> > other ideas at a lower priority, so we can at least publish one
> > concrete solution document as soon as possible.  I have no problem of
> > discussing DNS/DTLS itself, but if my understanding about the wg focus
> > is correct, I don't think it a good idea to delay publishing DNS/TLS
> > because of it implication with DNS/DTLS.  In that sense merging these
> > two drafts doesn't seem to be a good idea to me.  Extracting and
> > deferring some parts of DNS/TLS may be acceptable if the resulting
> > DNS/TLS draft is still a self-contained document to be published.
> 
> I strongly agree with this position. I believe the working group should
> produce 3 documents here:
> 
> 1) This draft - the technical discussion of DNS-over-TLS: I believe this
> document is mature enough to move forward as a standalone document
> (possibly with some minor re-working of section 5, to further clarify the
> scope with respect to authentication and add other references?). As detailed
> in the implementation section it also has several implementations.
> 
> 2) The technical discussion of DNS-over-DTLS: I believe that document is still
> under active review and development.
> 
> 3) I agree there should be a separate document to describe further details of
> 'Authentication of DNS-over-(D)TLS connections’, and I am willing to work on
> that.

Authenticating the DNS privacy server is discussed in 
https://tools.ietf.org/html/draft-ietf-dprive-dnsodtls-02#section-3.2 and is 
applicable for both TLS and DTLS.

-Tiru

> 
> I think this separation is the most pragmatic and flexible way to allowing the
> working group to deliver DNS Privacy in a timely fashion, without introducing
> unnecessary dependancies between the solutions.
> 
> Sara.
> ___
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-27 Thread Mankin, Allison 
My two cents is that the authentication profile for TLS and DTLS should not be 
the same as a draft with flows. 

I reviewed the flows draft before it was submitted (and thank the authors for 
responding to initial comments).   Unsurprisingly, the flows draft is almost 
entirely made up of flows.  I estimate that many will have to change in 
response to DPRIVE WG review/discussion of the DTLS fragmentation scheme; also, 
some of them may need to change based on what is finalized for 1.3 in the TLS 
WG.  In keeping with other precedents at IETF, I’d see the flows draft as an 
informational document to help implementors/deployers.

The authentication profile for TLS/DTLS is something we can pull together now, 
with some work by the WG, and I’d expect it to be standards track.  I would not 
want to delay it for finishing the detailed engineering on the DTLS draft.

Bottom line:  I very much support Sara’s offer to start a stand-alone document 
for the authentication profile.  Speaking for the TLS authors, we’ll be happy 
to add language pointing ahead to an authentication profile external to our 
draft. 

Allison

.


> On Oct 27, 2015, at 11:12 AM, Tirumaleswar Reddy (tireddy) 
> <tire...@cisco.com> wrote:
> 
>  
>  
> From: Sara Dickinson [mailto:s...@sinodun.com <mailto:s...@sinodun.com>] 
> Sent: Tuesday, October 27, 2015 7:34 PM
> To: Tirumaleswar Reddy (tireddy)
> Cc: dns-privacy@ietf.org <mailto:dns-privacy@ietf.org>
> Subject: Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01
>  
>  
> On 27 Oct 2015, at 12:31, Tirumaleswar Reddy (tireddy) <tire...@cisco.com 
> <mailto:tire...@cisco.com>> wrote:
> 
> 
> I’m saying I think creating a separate document that specifically covers 
> authentication for both TLS and DTLS makes most sense to me and will be 
> clearer for consumers of the documents.
>  
> [TR] We can move this Section to 
> https://tools.ietf.org/html/draft-wing-dprive-profile-and-msg-flows-00 
> <https://tools.ietf.org/html/draft-wing-dprive-profile-and-msg-flows-00> and 
> that will take care both (D)TLS profile for DNS privacy and authenticating 
> the server.
>  
> I guess this is a decision for the working group since the DTLS draft is 
> adopted, but the above document isn’t.
>  
> [TR] Yes, of course; will do that only after WG feedback and adoption of the 
> draft.
>  
> -Tiru
>  
> Sara. 
> ___
> dns-privacy mailing list
> dns-privacy@ietf.org <mailto:dns-privacy@ietf.org>
> https://www.ietf.org/mailman/listinfo/dns-privacy 
> <https://www.ietf.org/mailman/listinfo/dns-privacy>


smime.p7s
Description: S/MIME cryptographic signature
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-27 Thread Tirumaleswar Reddy (tireddy) 


From: Sara Dickinson [mailto:s...@sinodun.com]
Sent: Tuesday, October 27, 2015 7:34 PM
To: Tirumaleswar Reddy (tireddy)
Cc: dns-privacy@ietf.org
Subject: Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01


On 27 Oct 2015, at 12:31, Tirumaleswar Reddy (tireddy) 
<tire...@cisco.com<mailto:tire...@cisco.com>> wrote:


I’m saying I think creating a separate document that specifically covers 
authentication for both TLS and DTLS makes most sense to me and will be clearer 
for consumers of the documents.

[TR] We can move this Section to 
https://tools.ietf.org/html/draft-wing-dprive-profile-and-msg-flows-00 and that 
will take care both (D)TLS profile for DNS privacy and authenticating the 
server.

I guess this is a decision for the working group since the DTLS draft is 
adopted, but the above document isn’t.

[TR] Yes, of course; will do that only after WG feedback and adoption of the 
draft.

-Tiru

Sara.
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-27 Thread Sara Dickinson 

> On 27 Oct 2015, at 12:31, Tirumaleswar Reddy (tireddy)  
> wrote:
> 
> I’m saying I think creating a separate document that specifically covers 
> authentication for both TLS and DTLS makes most sense to me and will be 
> clearer for consumers of the documents.
>  
> [TR] We can move this Section to 
> https://tools.ietf.org/html/draft-wing-dprive-profile-and-msg-flows-00 
>  and 
> that will take care both (D)TLS profile for DNS privacy and authenticating 
> the server.


I guess this is a decision for the working group since the DTLS draft is 
adopted, but the above document isn’t.

Sara. ___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-26 Thread Dan Wing 

On 26-Oct-2015 07:28 am, Muhammad Yousaf <myou...@ymail.com> wrote: 
> Hi all, 
> I am new to this list, infact read the document for the first time. So, don't 
> know whether my comments will make any sense or not. 
> My first feeling is that this document is proposing too much security 
> overhead in the name of privacy protection. 
> TCP Handshake

TCP FastOpen (RFC7413), which would contain the TCP ClientHello

> -> TLS Handshake

Which would use TLS session resumption w/o server-side state (RFC5077), and TLS 
FalseStart (draft-ietf-tls-falsestart).

> -> DNS Request/Reply -> TLS Close -> TCP Close.

The TLS session and TCP connection don't need to be closed right away.  If left 
open, subsequent queries have nearly the same overhead as today's un-encrypted 
queries, and as long as the network is stable (NAT, firewall, path), DNSoTLS 
and DNSoDTLS are very similar in their operation.

> Although draft discussed the overhead, however, only discussion can't resolve 
> the issue. 
> Draft also discussed the long term persistant connections and associated 
> security issues with this approach. Again discussion only is not the solution.
> Draft also discussed the queued requests and its issue. Again no satisfactory 
> solution. 
> Also, it is not clear that why we need to encrypt the traffic between 
> recursive server and the authoritative server. What is the privacy issue 
> there?

The risk is a victim querying a unique (or nearly unique) resource record), 
such as ejkfjuiuerekfjekfjekfjekjfejqkjkejqkj.example.com 
<http://ejkfjuiuerekfjekfjekfjekjfejqkjkejqkj.example.com/> (which might be 
completely unique to that particular user) or such as 
"kitten-pictures.blogspot.com <http://i-love-kittens.blogspot.com/>" (where 
kitten pictures are deemed subversive or are illegal).  Imagine that unique 
query combined with draft-ietf-dnsop-edns-client-subnet.

-d

> If community is not in a hurry, then in my humble opinion, standard body 
> should look for more efficient and well thought off solution may be out of 
> TLS. 
> I can volunteer for any such activity.  
>  
> Best Regards,
> Dr. Muhammad Yousaf,
> Assistant Professor, Faculty of Computing, 
> Riphah International University (RIU), Islamabad
> https://sites.google.com/site/muhyousaf/ 
> <https://sites.google.com/site/muhyousaf/>
> 
> 
> 
> On Sunday, October 25, 2015 9:23 PM, Tirumaleswar Reddy (tireddy) 
> <tire...@cisco.com> wrote:
> 
> 
> > -Original Message-
> > From: dns-privacy [mailto:dns-privacy-boun...@ietf.org 
> > <mailto:dns-privacy-boun...@ietf.org>] On Behalf Of Paul
> > Hoffman
> > Sent: Friday, October 23, 2015 8:01 PM
> > To: Simon Josefsson
> > Cc: dns-privacy@ietf.org <mailto:dns-privacy@ietf.org>
> > Subject: Re: [dns-privacy] Start of WGLC for 
> > draft-ietf-dprive-dns-over-tls-01
> > 
> > On 10/23/15, 1:35 PM, "Simon Josefsson" <si...@josefsson.org 
> > <mailto:si...@josefsson.org>> wrote:
> > 
> > >Hi.  I believe the document is in relatively good shape.  I have one
> > >high level concern, and one concern with the document itself that is
> > >related to the higher-level concern:
> > >
> > >1) I believe it would be a mistake to publish this without
> > >synchronizing the TLS-related aspects of DNS-over-TLS and
> > >DNS-over-DTLS.  The documents solve roughly the same problem, with
> > >rougly the same technology.  One important difference is how they
> > >approach authentication of the peer in TLS.  Given the similarities of
> > >the protocols and solutions, this seems like a recipe for
> > >implementation frustration.  An implementer would prefer to implement
> > >DNS-over-TLS/DTLS as similar as possible.  Having different X.509 (etc)
> > >certificate verification code paths depending on whether TLS or DTLS is
> > >used appears bad to me.
> > >
> > >2) On TLS verification, this document should reference RFC 6125 and
> > >describe how naming information should be compared with the locally
> > >known data with what is being presented by the server.  See
> > >draft-ietf-dprive-dnsodtls for one way (not necessarily the best one or
> > >the most readable or complete way) of doing this.
> > >
> > >If merging DNS-over-TLS and DNS-over-DTLS is not an option, another
> > >possibility is that TLS-related aspects are deferred from both
> > >documents to another third new document that describe how to perform
> > >TLS credential verification for DNS-over-(D)TLS in a generalized way.
> > >Then there would be harmony in the TLS-related

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-26 Thread Muhammad Yousaf 
Hi all, I am new to this list, infact read the document for the first time. So, 
don't know whether my comments will make any sense or not. My first feeling is 
that this document is proposing too much security overhead in the name of 
privacy protection. TCP Handshake -> TLS Handshake -> DNS Request/Reply -> TLS 
Close -> TCP Close.Although draft discussed the overhead, however, only 
discussion can't resolve the issue. Draft also discussed the long term 
persistant connections and associated security issues with this approach. Again 
discussion only is not the solution.Draft also discussed the queued requests 
and its issue. Again no satisfactory solution. Also, it is not clear that why 
we need to encrypt the traffic between recursive server and the authoritative 
server. What is the privacy issue there?If community is not in a hurry, then in 
my humble opinion, standard body should look for more efficient and well 
thought off solution may be out of TLS. I can volunteer for any such activity.  
 Best Regards,Dr. Muhammad Yousaf,Assistant Professor, Faculty of Computing, 
Riphah International University (RIU), 
Islamabadhttps://sites.google.com/site/muhyousaf/
 


 On Sunday, October 25, 2015 9:23 PM, Tirumaleswar Reddy (tireddy) 
<tire...@cisco.com> wrote:
   
 

 > -Original Message-
> From: dns-privacy [mailto:dns-privacy-boun...@ietf.org] On Behalf Of Paul
> Hoffman
> Sent: Friday, October 23, 2015 8:01 PM
> To: Simon Josefsson
> Cc: dns-privacy@ietf.org
> Subject: Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01
> 
> On 10/23/15, 1:35 PM, "Simon Josefsson" <si...@josefsson.org> wrote:
> 
> >Hi.  I believe the document is in relatively good shape.  I have one
> >high level concern, and one concern with the document itself that is
> >related to the higher-level concern:
> >
> >1) I believe it would be a mistake to publish this without
> >synchronizing the TLS-related aspects of DNS-over-TLS and
> >DNS-over-DTLS.  The documents solve roughly the same problem, with
> >rougly the same technology.  One important difference is how they
> >approach authentication of the peer in TLS.  Given the similarities of
> >the protocols and solutions, this seems like a recipe for
> >implementation frustration.  An implementer would prefer to implement
> >DNS-over-TLS/DTLS as similar as possible.  Having different X.509 (etc)
> >certificate verification code paths depending on whether TLS or DTLS is
> >used appears bad to me.
> >
> >2) On TLS verification, this document should reference RFC 6125 and
> >describe how naming information should be compared with the locally
> >known data with what is being presented by the server.  See
> >draft-ietf-dprive-dnsodtls for one way (not necessarily the best one or
> >the most readable or complete way) of doing this.
> >
> >If merging DNS-over-TLS and DNS-over-DTLS is not an option, another
> >possibility is that TLS-related aspects are deferred from both
> >documents to another third new document that describe how to perform
> >TLS credential verification for DNS-over-(D)TLS in a generalized way.
> >Then there would be harmony in the TLS-related aspects, and the
> >respective document can focus on the DNS-related aspects.  If document
> >editor cycles is limiting factor, I would volunteer to help write this.
> 
> Fully agree on all counts. If the WG wants to move both -TLS and -DTLS to the
> IETF, it makes no sense at all to have them have different crypto properties. 
> I
> don't care if the answer is "harmonize each before finishing" or "harmonize
> them by reference to a third document".

https://tools.ietf.org/html/draft-wing-dprive-profile-and-msg-flows-00 
discusses both TLS and DTLS profile for providing DNS privacy.

-Tiru

> 
> --Paul Hoffman

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy


 
  ___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-26 Thread 神明達哉 
At Fri, 23 Oct 2015 14:31:15 +,
Paul Hoffman  wrote:

> >1) I believe it would be a mistake to publish this without synchronizing
> >the TLS-related aspects of DNS-over-TLS and DNS-over-DTLS.
[...]
> >2) On TLS verification, this document should reference RFC 6125 and
> >describe how naming information should be compared with the locally
> >known data with what is being presented by the server.
[...]
> >If merging DNS-over-TLS and DNS-over-DTLS is not an option, another
> >possibility is that TLS-related aspects are deferred from both documents
> >to another third new document that describe how to perform TLS
> >credential verification for DNS-over-(D)TLS in a generalized way.  Then
> >there would be harmony in the TLS-related aspects, and the respective
> >document can focus on the DNS-related aspects.  If document editor
> >cycles is limiting factor, I would volunteer to help write this.
>
> Fully agree on all counts. If the WG wants to move both -TLS and -DTLS to
> the IETF, it makes no sense at all to have them have different crypto
> properties. I don't care if the answer is "harmonize each before
> finishing" or "harmonize them by reference to a third document".

I have some preliminary question about the 'If'.  I don't remember
exactly how the DNS/DTLS draft became a wg document, but IIRC when we
adopted DNS/TLS from several candidates the decision was to focus on
this particular solution while allowing flexibility of discussions
other ideas at a lower priority, so we can at least publish one
concrete solution document as soon as possible.  I have no problem of
discussing DNS/DTLS itself, but if my understanding about the wg focus
is correct, I don't think it a good idea to delay publishing DNS/TLS
because of it implication with DNS/DTLS.  In that sense merging these
two drafts doesn't seem to be a good idea to me.  Extracting and
deferring some parts of DNS/TLS may be acceptable if the resulting
DNS/TLS draft is still a self-contained document to be published.

--
JINMEI, Tatuya

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-26 Thread 神明達哉 
At Mon, 26 Oct 2015 19:05:56 +0100,
Simon Josefsson  wrote:

> > I have some preliminary question about the 'If'.  I don't remember
> > exactly how the DNS/DTLS draft became a wg document, but IIRC when we
> > adopted DNS/TLS from several candidates the decision was to focus on
> > this particular solution while allowing flexibility of discussions
> > other ideas at a lower priority, so we can at least publish one
> > concrete solution document as soon as possible.  I have no problem of
> > discussing DNS/DTLS itself, but if my understanding about the wg focus
> > is correct, I don't think it a good idea to delay publishing DNS/TLS
> > because of it implication with DNS/DTLS.  In that sense merging these
> > two drafts doesn't seem to be a good idea to me.  Extracting and
> > deferring some parts of DNS/TLS may be acceptable if the resulting
> > DNS/TLS draft is still a self-contained document to be published.
>
> Both DNS/TLS and DNS/DTLS were adopted by the WG, check the mailing list
> archives.

I know DNS/TLS was adopted by the WG (was I unclear about that in my
previous message?).  My question was about the significance of the
adoption of DNS/DTLS, especially about whether DNS/DTLS should affect
the progress of DNS/TLS or whether we rather want the latter to be
published sooner as long as it's complete other than issues related to
DTLS interaction.

--
JINMEI, Tatuya

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-25 Thread Tirumaleswar Reddy (tireddy) 
> -Original Message-
> From: dns-privacy [mailto:dns-privacy-boun...@ietf.org] On Behalf Of Paul
> Hoffman
> Sent: Friday, October 23, 2015 8:01 PM
> To: Simon Josefsson
> Cc: dns-privacy@ietf.org
> Subject: Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01
> 
> On 10/23/15, 1:35 PM, "Simon Josefsson" <si...@josefsson.org> wrote:
> 
> >Hi.  I believe the document is in relatively good shape.  I have one
> >high level concern, and one concern with the document itself that is
> >related to the higher-level concern:
> >
> >1) I believe it would be a mistake to publish this without
> >synchronizing the TLS-related aspects of DNS-over-TLS and
> >DNS-over-DTLS.  The documents solve roughly the same problem, with
> >rougly the same technology.  One important difference is how they
> >approach authentication of the peer in TLS.  Given the similarities of
> >the protocols and solutions, this seems like a recipe for
> >implementation frustration.  An implementer would prefer to implement
> >DNS-over-TLS/DTLS as similar as possible.  Having different X.509 (etc)
> >certificate verification code paths depending on whether TLS or DTLS is
> >used appears bad to me.
> >
> >2) On TLS verification, this document should reference RFC 6125 and
> >describe how naming information should be compared with the locally
> >known data with what is being presented by the server.  See
> >draft-ietf-dprive-dnsodtls for one way (not necessarily the best one or
> >the most readable or complete way) of doing this.
> >
> >If merging DNS-over-TLS and DNS-over-DTLS is not an option, another
> >possibility is that TLS-related aspects are deferred from both
> >documents to another third new document that describe how to perform
> >TLS credential verification for DNS-over-(D)TLS in a generalized way.
> >Then there would be harmony in the TLS-related aspects, and the
> >respective document can focus on the DNS-related aspects.  If document
> >editor cycles is limiting factor, I would volunteer to help write this.
> 
> Fully agree on all counts. If the WG wants to move both -TLS and -DTLS to the
> IETF, it makes no sense at all to have them have different crypto properties. 
> I
> don't care if the answer is "harmonize each before finishing" or "harmonize
> them by reference to a third document".

https://tools.ietf.org/html/draft-wing-dprive-profile-and-msg-flows-00 
discusses both TLS and DTLS profile for providing DNS privacy.

-Tiru

> 
> --Paul Hoffman

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-23 Thread Ilari Liusvaara 
On Fri, Oct 23, 2015 at 02:35:29PM +0200, Simon Josefsson wrote:
> Warren Kumari  writes:
> 
> > Dear DPRIVE WG,
> >
> > The authors of draft-ietf-dprive-dns-over-tls-01 have indicated that
> > they believe that the document is ready, and have asked for Working
> > Group Last Call.
> 
> Hi.  I believe the document is in relatively good shape.  I have one
> high level concern, and one concern with the document itself that is
> related to the higher-level concern:
> 
> 1) I believe it would be a mistake to publish this without synchronizing
> the TLS-related aspects of DNS-over-TLS and DNS-over-DTLS.  The
> documents solve roughly the same problem, with rougly the same
> technology. 
> 
> If merging DNS-over-TLS and DNS-over-DTLS is not an option, another
> possibility is that TLS-related aspects are deferred from both documents
> to another third new document that describe how to perform TLS
> credential verification for DNS-over-(D)TLS in a generalized way.

Agreed. Furthermore, I think that the (D)TLS profiling aspects should
be merged too (TLS and DTLS are virtually[1] the same here).


[1] IIRC, pretty much the only difference is RC4: Doesn't work at all
in DTLS, forbidden in TLS.



-Ilari

___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-23 Thread Simon Josefsson 
Warren Kumari  writes:

> Dear DPRIVE WG,
>
> The authors of draft-ietf-dprive-dns-over-tls-01 have indicated that
> they believe that the document is ready, and have asked for Working
> Group Last Call.

Hi.  I believe the document is in relatively good shape.  I have one
high level concern, and one concern with the document itself that is
related to the higher-level concern:

1) I believe it would be a mistake to publish this without synchronizing
the TLS-related aspects of DNS-over-TLS and DNS-over-DTLS.  The
documents solve roughly the same problem, with rougly the same
technology.  One important difference is how they approach
authentication of the peer in TLS.  Given the similarities of the
protocols and solutions, this seems like a recipe for implementation
frustration.  An implementer would prefer to implement DNS-over-TLS/DTLS
as similar as possible.  Having different X.509 (etc) certificate
verification code paths depending on whether TLS or DTLS is used appears
bad to me.

2) On TLS verification, this document should reference RFC 6125 and
describe how naming information should be compared with the locally
known data with what is being presented by the server.  See
draft-ietf-dprive-dnsodtls for one way (not necessarily the best one or
the most readable or complete way) of doing this.

If merging DNS-over-TLS and DNS-over-DTLS is not an option, another
possibility is that TLS-related aspects are deferred from both documents
to another third new document that describe how to perform TLS
credential verification for DNS-over-(D)TLS in a generalized way.  Then
there would be harmony in the TLS-related aspects, and the respective
document can focus on the DNS-related aspects.  If document editor
cycles is limiting factor, I would volunteer to help write this.

/Simon


signature.asc
Description: PGP signature
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-23 Thread Paul Hoffman 
On 10/23/15, 1:35 PM, "Simon Josefsson"  wrote:

>Hi.  I believe the document is in relatively good shape.  I have one
>high level concern, and one concern with the document itself that is
>related to the higher-level concern:
>
>1) I believe it would be a mistake to publish this without synchronizing
>the TLS-related aspects of DNS-over-TLS and DNS-over-DTLS.  The
>documents solve roughly the same problem, with rougly the same
>technology.  One important difference is how they approach
>authentication of the peer in TLS.  Given the similarities of the
>protocols and solutions, this seems like a recipe for implementation
>frustration.  An implementer would prefer to implement DNS-over-TLS/DTLS
>as similar as possible.  Having different X.509 (etc) certificate
>verification code paths depending on whether TLS or DTLS is used appears
>bad to me.
>
>2) On TLS verification, this document should reference RFC 6125 and
>describe how naming information should be compared with the locally
>known data with what is being presented by the server.  See
>draft-ietf-dprive-dnsodtls for one way (not necessarily the best one or
>the most readable or complete way) of doing this.
>
>If merging DNS-over-TLS and DNS-over-DTLS is not an option, another
>possibility is that TLS-related aspects are deferred from both documents
>to another third new document that describe how to perform TLS
>credential verification for DNS-over-(D)TLS in a generalized way.  Then
>there would be harmony in the TLS-related aspects, and the respective
>document can focus on the DNS-related aspects.  If document editor
>cycles is limiting factor, I would volunteer to help write this.

Fully agree on all counts. If the WG wants to move both -TLS and -DTLS to
the IETF, it makes no sense at all to have them have different crypto
properties. I don't care if the answer is "harmonize each before
finishing" or "harmonize them by reference to a third document".

--Paul Hoffman


smime.p7s
Description: S/MIME cryptographic signature
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-23 Thread Dan Wing 

On 23-Oct-2015 07:31 am, Paul Hoffman  wrote:
> 
> On 10/23/15, 1:35 PM, "Simon Josefsson"  wrote:
> 
>> Hi.  I believe the document is in relatively good shape.  I have one
>> high level concern, and one concern with the document itself that is
>> related to the higher-level concern:
>> 
>> 1) I believe it would be a mistake to publish this without synchronizing
>> the TLS-related aspects of DNS-over-TLS and DNS-over-DTLS.  The
>> documents solve roughly the same problem, with rougly the same
>> technology.  One important difference is how they approach
>> authentication of the peer in TLS.  Given the similarities of the
>> protocols and solutions, this seems like a recipe for implementation
>> frustration.  An implementer would prefer to implement DNS-over-TLS/DTLS
>> as similar as possible.  Having different X.509 (etc) certificate
>> verification code paths depending on whether TLS or DTLS is used appears
>> bad to me.
>> 
>> 2) On TLS verification, this document should reference RFC 6125 and
>> describe how naming information should be compared with the locally
>> known data with what is being presented by the server.  See
>> draft-ietf-dprive-dnsodtls for one way (not necessarily the best one or
>> the most readable or complete way) of doing this.
>> 
>> If merging DNS-over-TLS and DNS-over-DTLS is not an option, another
>> possibility is that TLS-related aspects are deferred from both documents
>> to another third new document that describe how to perform TLS
>> credential verification for DNS-over-(D)TLS in a generalized way.  Then
>> there would be harmony in the TLS-related aspects, and the respective
>> document can focus on the DNS-related aspects.  If document editor
>> cycles is limiting factor, I would volunteer to help write this.
> 
> Fully agree on all counts. If the WG wants to move both -TLS and -DTLS to
> the IETF, it makes no sense at all to have them have different crypto
> properties. I don't care if the answer is "harmonize each before
> finishing" or "harmonize them by reference to a third document".

+1.

-d


___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-22 Thread Tim Wicinski 

Bob

https://datatracker.ietf.org/doc/draft-ietf-dprive-dns-over-tls/

is a working URL

thanks for pointing that out

tim


On 10/22/15 6:59 PM, Bob Harold wrote:


On Thu, Oct 22, 2015 at 5:23 AM, Warren Kumari > wrote:

Dear DPRIVE WG,

The authors of draft-ietf-dprive-dns-over-tls-01 have indicated that
they believe that the document is ready, and have asked for Working
Group Last Call.

The draft is available here:
https://datatracker.ietf.org/doc/draft-ietf-dprive-dns-over-tls-01/

Please review this draft to see if you think it is ready for
publication and send comments to the DPRIVE list, clearly stating your
view.

We have chosen to run this WGLC during the IETF meeting, and have it
end after the meeting. This will allow us use meeting time to discuss
contentious WGLC issues (if any).
This will be a 3 week WGLC, and ends Thu 12-Nov-2015.


To satisfy RFC 6702 ("Promoting Compliance with Intellectual Property
Rights (IPR)"):
Are you personally aware of any IPR that applies to
draft-ietf-dprive-dns-over-tls-01?  If so, has this IPR been disclosed
in compliance with IETF IPR rules? (See RFCs 3979, 4879, 3669, and
5378 for more details.)

Thanks,
Warren Kumari
(as DPRIVE WG co-chair)

The URL is not working for me, and I cannot find a working URL.  Is it
just me?

--
Bob Harold



___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy



___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-22 Thread Wessels, Duane 

> On Oct 22, 2015, at 6:59 PM, Bob Harold  wrote:
> 
> The URL is not working for me, and I cannot find a working URL.  Is it just 
> me?


Try this:

https://datatracker.ietf.org/doc/draft-ietf-dprive-dns-over-tls/
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy

Re: [dns-privacy] Start of WGLC for draft-ietf-dprive-dns-over-tls-01

2015-10-22 Thread Bob Harold 
On Thu, Oct 22, 2015 at 2:05 PM, Wessels, Duane 
wrote:

>
> > On Oct 22, 2015, at 6:59 PM, Bob Harold  wrote:
> >
> > The URL is not working for me, and I cannot find a working URL.  Is it
> just me?
>
>
> Try this:
>
> https://datatracker.ietf.org/doc/draft-ietf-dprive-dns-over-tls/
>
> Thanks Tim and Duane, looks good to me.

-- 
Bob Harold
___
dns-privacy mailing list
dns-privacy@ietf.org
https://www.ietf.org/mailman/listinfo/dns-privacy