Whow, that sounds grizzly for dynamically allocated IP addresses on broadband links. On Wed, Sep 20, 2017 at 06:39:47PM -0500, Adam Roach wrote: > Correction -- it was flagged to me that I read the BR text too > quickly; the prohibition here is against RFC 1918 IP addresses, not > IP addresses in general. The general notion stands, however, that > cert holders of IP address certs need to first demonstrate control > of that address to obtain the cert in the same way as certs that > refer to names. > > /a > > On 9/20/17 5:54 PM, Adam Roach wrote: > >The dichotomy you lay out doesn't make sense because HTTP already > >has a well-defined security model. As it stands, HTTPS implies > >the use of trusted public roots, and CAB Forum Baseline > >Requirements section 9.2.1 forbids the issuance of a cert for IP > >addresses. One of the things that is appealing about HTTPS as a > >substrate (for better or worse) is that it has a well-defined and > >proven scalable system for the kind of security issues you > >describe below. > > > >The issue with putting discovery in this charter is that it's the > >wrong community of interest and expertise for what you propose. I > >would imagine that this is the same reason that RFC3315bis is > >being done in DHC rather than V6OPS (although -- full disclosure > >-- that decision is a bit outside of what I tend to track). > > > >/a > > > >On 9/20/17 10:14 AM, Toerless Eckert wrote: > >>On Fri, Sep 15, 2017 at 08:44:53AM -0700, The IESG wrote: > >>[...] > >>>Specification of how the DNS data may be used for new use cases, and > >>>the discovery of the DOH servers, are out of scope for the > >>>working group. > >>I disagree on this becoming a working group unless the charter > >>says either: > >> > >>a) Discovery is in scope > >> > >>I have no specific preferences of what discovery is done, i just > >>think that the security discussion needs to take the discovery > >>being used > >>into account. I can already see how DoH clients will just use some > >>configured IP address for the DoH server and accept whatever self-signed > >>TLS certs are being offered. And the industry thinks its great security > >>improvement because it uses TLS. I am sure there are enough > >>people willing > >>to work on DoH that would be able to write down how to do that > >>discovery piece > >>more securely, so why stop them doing it by writing "out of charter". > >> > >>or > >> > >>b) Security is optional. The documents will sprinkle some security fairy > >>dust in by mandating simple buzzwords like TLS Vmax so we can > >>escape further > >>security discussions. > >> > >>;-) > >> > >>Cheers > >> Toerless > >> > > > >_______________________________________________ > >Doh mailing list > >Doh@xxxxxxxx > >https://www.ietf.org/mailman/listinfo/doh > -- --- tte@xxxxxxxxx