Hi! Victor, Mark and Paul,
Thank you so much for crucial comments and candid opinions.
We have been thinking about the downgrade attacks that you mentioned.
Right now, It is not easy to come up with a solution space for such attacks.
We agree that it is better to discuss this proposal (after addressing such
issues) in later meetings.
So we'd like to withdraw our presentation slot this time.
Thank you,
Hyeonmin and Taekyoung,
On Mon, Jul 17, 2023 at 7:38 PM wrote:
> Send DNSOP mailing list submissions to
> dnsop@ietf.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.ietf.org/mailman/listinfo/dnsop
> or, via email, send a message with subject or body 'help' to
> dnsop-requ...@ietf.org
>
> You can reach the person managing the list at
> dnsop-ow...@ietf.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of DNSOP digest..."
> Today's Topics:
>
>1. draft-dnsop-dnssec-extension-pkix on IETF117 dnsop agenda?
> (Viktor Dukhovni)
>2. Re: draft-dnsop-dnssec-extension-pkix on IETF117 dnsop
> agenda? (Viktor Dukhovni)
>3. Re: draft-dnsop-dnssec-extension-pkix on IETF117 dnsop
> agenda? (Mark Andrews)
>4. Re: [Ext] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop
> agenda? (Paul Hoffman)
>5. Re: Best Practices for Managing Existing Delegations When
> Deleting a Domain or Host (Viktor Dukhovni)
>6. Re: Fwd: New Version Notification -
> draft-ietf-dnsop-avoid-fragmentation-13.txt (Peter van Dijk)
>
>
>
> -- Forwarded message --
> From: Viktor Dukhovni
> To: dnsop-cha...@ietf.org
> Cc: dnsop@ietf.org
> Bcc:
> Date: Sun, 16 Jul 2023 15:06:35 -0400
> Subject: [DNSOP] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop agenda?
> I see that draft-dnsop-dnssec-extension-pkix is included on the IETF117
> dnsop agenda.
>
> https://datatracker.ietf.org/doc/draft-dnsop-dnssec-extension-pkix/
>
> I haven't seen prior discussion of this item on the list, and,
> personally, rather suspect it unlikely to gain meaningful support from
> the WG and see adoption.
>
> Would it possible to defer discussion of this document to such time as
> some evidence of support emerges, and in the meantime use the timeslot
> for more realistically productive proposals?
>
> --
> Viktor.
>
>
>
>
>
> -- Forwarded message --
> From: Viktor Dukhovni
> To: dnsop@ietf.org
> Cc:
> Bcc:
> Date: Sun, 16 Jul 2023 15:53:12 -0400
> Subject: Re: [DNSOP] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop
> agenda?
> On Sun, Jul 16, 2023 at 03:06:35PM -0400, Viktor Dukhovni wrote:
> > I see that draft-dnsop-dnssec-extension-pkix is included on the IETF117
> dnsop agenda.
> >
> > https://datatracker.ietf.org/doc/draft-dnsop-dnssec-extension-pkix/
> >
> > I haven't seen prior discussion of this item on the list, and,
> > personally, rather suspect it unlikely to gain meaningful support from
> > the WG and see adoption.
> >
> > Would it possible to defer discussion of this document to such time as
> > some evidence of support emerges, and in the meantime use the timeslot
> > for more realistically productive proposals?
>
> I should perhaps have stated the technical criteria on which I consider
> the proposal non-viable. To whit:
>
> - The proposed protocol lacks all downgrade resistance.
> - Without a signed delegation from the parent, the existence of the
> zone apex CERT MRs and associated RRSIGs is trivially denied by
> an on-path attacker.
> - This protocol adds failure modes (CERTs and RRSIGs are available,
> but don't match), without adding any security.
>
> Since the point of DNSSEC is to thwart active attacks, and the protocol
> in the proposed draft offers no such protection, I consider it
> non-viable.
>
> There are other substantial issues, but the above is sufficient to stop
> looking for more reasons why this is a dead-end.
>
> --
> Viktor.
>
>
>
>
>
> -- Forwarded message --
> From: Mark Andrews
> To: dnsop
> Cc:
> Bcc:
> Date: Mon, 17 Jul 2023 09:47:35 +1000
> Subject: Re: [DNSOP] draft-dnsop-dnssec-extension-pkix on IETF117 dnsop
> agenda?
>
>
> > On 17 Jul 2023, at 05:53, Viktor Dukhovni
> wrote:
> >
> > On Sun, Jul 16, 2023 at 03:06:35PM -0400, Viktor Dukhovni wrote:
> >> I see that draft-dnsop-dnssec-extension-pkix is included on the IETF117
> dnsop agenda.
> >>
> >>https://datatracker.ietf.org/doc/draft-dnsop-dnssec-extension-pkix/
> >>
> >> I haven't seen prior discussion of this item on the list, and,
> >> personally, rather suspect it unlikely to gain meaningful support from
> >> the WG and see adoption.
> >>
> >> Would it possible to defer discussion of this document to such time as
> >> some evidence of support emerges, and in the meantime use the timeslot
> >> for more realistically productive proposals?
> >
> > I should perhaps have stated the technical criteria