On 4/21/21 10:08 AM, Christian Huitema wrote:
On 4/21/2021 9:31 AM, Michael Thomas wrote:
Chrome already did the DANE work once upon a time so DNSSec is the
only missing piece. But the very thought that the number of packets
exchanged in a transport protocol's setup is *off topic* within 24
hours and a few messages back and forth speaks miles about how broken
many working groups are and why nobody wants to participate.
My takeaway from these exchanges is a bit different. You are
advocating for using Dane instead of PKI during the authentication
exchange, because this leads to fewer packets. People provided three
different counter arguments. The first argument was that in first
order, performance is measured by the number of round-trips, not the
number of packets, and that using Dane instead of PKI would not result
in big performance gains in practice. The second argument was that the
full authentication exchange is only used in a small fraction of
connections. The other exchanges use session resumption, and in that
case there is no difference between Dane and PKI. The third argument
was that there is no specific work to do in the QUIC working group on
this topic, since QUIC relies on TLS 1.3 for authentication and TLS
1.3 already supports Dane. Using Dane instead of PKI is a deployment
issue, not a protocol development issue, and there is no concrete work
for the QUIC WG.
The meta question is whether that is so off topic that it needs to be
officially shut down with the working group chairs. The technical merits
are what they are. What I was told in no uncertain terms is that I am
not allowed to even ask the question. Is that appropriate?
Mike
