On Mon, Aug 25, 2014 at 07:07:20PM -0600, Peter Saint-Andre wrote: > >Yes, Section 2.1 of draft-ietf-dane-smtp-with-dane is indeed quite > >comprehensive. I am hesitant to copy it to draft-ietf-dane-srv primarily > >because copying introduces the possibility of divergence in text and > >secondarily because that text talks about SMTP. It seems safer to me if > >we point to that text from the dane-srv specification. > > Upon reading the dane-smtp document again, I am thinking more strongly that > the text in Section 2.1 applies to most application protocols, not only > SMTP; thus I wonder if we can move it to a more general document. > > Chairs & WG, what do you think?
At the time that was written, the OPS draft was informational, but this section necessarily contains normative text. So for lack of a better place, it was in the SMTP draft. I'm not sure that section 2.1 is a good fit for the OPS draft, which is already somewhat of a chimera as a result of a change of mission from an informational implementation/ops guide to a 6698 update. What is perhaps missing is a generic document describing DANE implementation guidelines for opportunistic protocols that use DANE for "discovery", and implement DANE-based authentication only when keys are found (this is the use-case addressed by 2.1, though some or most of it[ might also apply with non-opportunistic scenarios). There could be a separate document with implementation guidelines for using DANE for mandatory security (application must use authentication by local policy, with TLSA RRs for key lookup). [ Any volunteers? I need a break from IETF activity after all the sturm und drang over the opportunistic security definition draft. ] Another option may be to move 2.1 into the SRV draft, and use it by reference from SMTP. Tony's original documents had most of the meat in the SRV draft, and SMTP was a thin variant. The main difficulty is that SRV does not have an explicit opportunistic or mandatory mode of operation. It leaves that question unaddressed. So moving 2.1 into the SRV document might require at least some text about differences between opportunistic DANE and mandatory DANE. We have a record format in 6698, but we don't yet have a document that presents a model of how DANE should be used. And there are in fact at least two high-level models to describe. The SRV document is basically DANE with Service Specification records (http://www.ietf.org/archive/id/draft-ogud-dane-vocabulary-02.txt). Perhaps the SRV draft should become primarily "Opportunistic DANE with SSR" (some of the content already makes more sense in that light), with a section at the end that briefly touches on how the mandatory SRV use-case might differ? If so, 2.1 moves to the SRV draft, and the SMTP draft imports it by reference. Other bits could move over also (the sections on the various Certificate usages for example). This is a difficult question, and another option is to focus and specify DANE for XMPP (which is looking to use the SRV draft as its DANE specification) leaving generic SRV for a time when we have more clarity. Are there other major application protocols with SRV records that are gearing up to use DANE? Here, I think there needs to a vision of how all the pieces fit together, and somebody to drive it. At this time, per protocol documents may be easier to pin down, and SRV is arguably too general. -- Viktor. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
