Re: Last Call: <draft-ietf-dane-protocol-19.txt> (The DNS-Based Authentication of Named Entities (DANE) Protocol for Transport Layer Security (TLS)) to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 18:41 11-04-2012, The IESG wrote:
The IESG has received a request from the DNS-based Authentication of
Named Entities WG (dane) to consider the following document:
- 'The DNS-Based Authentication of Named Entities (DANE) Protocol for
   Transport Layer Security (TLS)'
  <draft-ietf-dane-protocol-19.txt> as a Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@xxxxxxxx mailing lists by 2012-04-25. Exceptionally, comments may be

In Section 1.2:

 "This document applies to both TLS [RFC5246]"

Does this mean that DANE is not applicable for TLS 1.1?

In Section 1.3:

  "A DNS query can return multiple certificate associations, such as in
   the case of a server is changing from one certificate to another."

The sentence seems incorrect.

In Section 2.1.1:

  "The certificate usages defined in this document explicitly only apply
   to PKIX-formatted certificates in DER encoding."

I suggest adding a reference to X.690.

In Section 2.1.3:

  "If the TLSA record's matching type is a hash, having the record use
   the same hash algorithm that was used in the signature in the
   certificate (if possible) will assist clients that support a small
   number of hash algorithms."

As a comment that does not argue for any change, having SHA-256 hash as the "lowest" hash excludes SHA-1, a widely deployed hash algorithm. I gather that the WG has made a tradeoff between perceived security and ease of deployment.

In Section 3:

  'For example, to request a TLSA resource record for an HTTP server
   running TLS on port 443 at "www.example.com",
   "_443._tcp.www.example.com" is used in the request.  To request a
   TLSA resource record for an SMTP server running the STARTTLS protocol
   on port 25 at "mail.example.com", "_25._tcp.mail.example.com" is
   used.'

HTTPS for www.example.com is a straight-forward example. In the case of a SMTP server, it is not as easy. Once the target host is located, mail.example.com in this case, one might assume that the server would advertise that hostname or the domain name used to locate the target host as an identity. That's rarely the case due to issues outside the scope of DANE. It's easier not to use the STARTTLS protocol as an example.

In Section 7.2, 7.3 and 7.4:

 "Applications to the registry can request specific values that have
  yet to be assigned."

What is the meaning of "can request specific values" in that sentence?

In Section 8.1:

  "If it is less likely that a user will hear about its trusted DNSSEC
   validators being hacked that it is of a public CA being compromised"

I suggest using "compromised" instead of "hacked".

Regards,
-sm


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]