Correction -- it was flagged to me that I read the BR text too quickly;
the prohibition here is against RFC 1918 IP addresses, not IP addresses
in general. The general notion stands, however, that cert holders of IP
address certs need to first demonstrate control of that address to
obtain the cert in the same way as certs that refer to names.
/a
On 9/20/17 5:54 PM, Adam Roach wrote:
The dichotomy you lay out doesn't make sense because HTTP already has
a well-defined security model. As it stands, HTTPS implies the use of
trusted public roots, and CAB Forum Baseline Requirements section
9.2.1 forbids the issuance of a cert for IP addresses. One of the
things that is appealing about HTTPS as a substrate (for better or
worse) is that it has a well-defined and proven scalable system for
the kind of security issues you describe below.
The issue with putting discovery in this charter is that it's the
wrong community of interest and expertise for what you propose. I
would imagine that this is the same reason that RFC3315bis is being
done in DHC rather than V6OPS (although -- full disclosure -- that
decision is a bit outside of what I tend to track).
/a
On 9/20/17 10:14 AM, Toerless Eckert wrote:
On Fri, Sep 15, 2017 at 08:44:53AM -0700, The IESG wrote:
[...]
Specification of how the DNS data may be used for new use cases, and
the discovery of the DOH servers, are out of scope for the working
group.
I disagree on this becoming a working group unless the charter says
either:
a) Discovery is in scope
I have no specific preferences of what discovery is done, i just
think that the security discussion needs to take the discovery being
used
into account. I can already see how DoH clients will just use some
configured IP address for the DoH server and accept whatever self-signed
TLS certs are being offered. And the industry thinks its great security
improvement because it uses TLS. I am sure there are enough people
willing
to work on DoH that would be able to write down how to do that
discovery piece
more securely, so why stop them doing it by writing "out of charter".
or
b) Security is optional. The documents will sprinkle some security fairy
dust in by mandating simple buzzwords like TLS Vmax so we can escape
further
security discussions.
;-)
Cheers
Toerless
_______________________________________________
Doh mailing list
Doh@xxxxxxxx
https://www.ietf.org/mailman/listinfo/doh