On 4/21/2021 10:49 AM, Michael Thomas wrote:
On 4/21/21 10:08 AM, Christian Huitema wrote:
On 4/21/2021 9:31 AM, Michael Thomas wrote:
Chrome already did the DANE work once upon a time so DNSSec is the
only missing piece. But the very thought that the number of packets
exchanged in a transport protocol's setup is *off topic* within 24
hours and a few messages back and forth speaks miles about how
broken many working groups are and why nobody wants to participate.
My takeaway from these exchanges is a bit different. You are
advocating for using Dane instead of PKI during the authentication
exchange, because this leads to fewer packets. People provided three
different counter arguments. The first argument was that in first
order, performance is measured by the number of round-trips, not the
number of packets, and that using Dane instead of PKI would not
result in big performance gains in practice. The second argument was
that the full authentication exchange is only used in a small
fraction of connections. The other exchanges use session resumption,
and in that case there is no difference between Dane and PKI. The
third argument was that there is no specific work to do in the QUIC
working group on this topic, since QUIC relies on TLS 1.3 for
authentication and TLS 1.3 already supports Dane. Using Dane instead
of PKI is a deployment issue, not a protocol development issue, and
there is no concrete work for the QUIC WG.
The meta question is whether that is so off topic that it needs to be
officially shut down with the working group chairs. The technical
merits are what they are. What I was told in no uncertain terms is
that I am not allowed to even ask the question. Is that appropriate?
There are a couple of topics that would be clearly appropriate for the
QUIC working group. A document describing your experience deploying
QUIC+DANE, for example, would be on topic. If there are issue preventing
mutually agreeing clients and servers from using QUIC and DANE, that too
would be very much on topic. On the other hand, your latter posts
focused on the development of the Chrome browser, its level of support
for DANE, and Google's willingness to deploy DNSSEC in their domains.
That very much off topic for the QUIC WG.
-- Christian Huitema
