TLS DNSSEC Chain Extension
draft-dukhovni-tls-dnssec-chain-08

(Via drafts-eval@iana.org): IESG/Authors/ISE:

The IANA Functions Operator has completed its review of draft-dukhovni-tls-dnssec-chain. If any part of this review is inaccurate, please let us know.

We understand that when this document is sent to us for processing, we will perform one registry action.

The following entry will be added to the TLS ExtensionType Values registry at https://www.iana.org/assignments/tls-extensiontype-values:

Value: TBD
Extension Name: dnssec_chain
TLS 1.3: CH
Recommended: No
Reference: this document

Thank you,

Michelle Cotton
Protocol Parameters Engagement Sr. Manager
IANA Services

draft-dukhovni-tls-dnssec-chain has been brought to the ISE for
publication as an Experimental RFC on the Independent Submission Stream.

==Purpose==

This document describes an experimental TLS extension for in-band
transport of the complete set of DNSSEC validated records needed to
perform DANE authentication of a TLS server. The document is published
to allow interoperable experimental implementations and to gather
feedback on whether the approach works and is useful.

==History==

This document was originally processed by the TLS WG. There was late
feedback questioning whether it would be effective and wondering about
the threat model it addressed. That discussion got very heated and
acrimonious, and the WG failed to reach any consensus and it seemed that
there was no further energy to attempt consensus. The proponents of
various deployment models were advised (by the TLS chairs) to seek
publication of independent documents for the given use cases via ISE or
other venues.

The ISE consulted with the Sec ADs and TLS chairs to find out whether
this work should be done within the TLS WG. They confirmed this view and
suggested that the path through the working group was "blocked".

==Not the IETF==

The Abstract and Introduction are clear that this work was developed
outside the IETF.

==Scope of the Experiment==

This document has a dedicated section (1.1) to describe the scope of the
experiment. That section clearly notes the concerns raised in the TLS
working group.

==IANA==

This document requests a code point from the TLS ExtensionType Values
registry https://www.iana.org/assignments/tls-extensiontype-values.
That registry is "Specification Required" which will be covered by this
document if published on the Independent Submissions Stream.

The assignment request suggests that the codepoint be marked as
Recommended = "No" which is appropriate for a non-IETF document.

Per RFC 8447 Section 17, the authors have sent mail to the mailing
list tls-reg-review@ietf.org. Rich Salz responded:

  Sure, the draft is readable and implementable.  You can have
  number 59, if one of the other two reviewers agree.

We wait to hear from a second reviewer.

==Reviews==

Reviews were initially hard to find. Many people considered themselves
compromised by either their support of or opposition to the draft and
declined to give a review. Ultimately, reviews were performed for the
ISE as follows:

- Nico Williams : positive, but no detailed comments

- Stephen Farrell : small comments

- Shane Kerr : detailed review

- Matthijs Mekking : detailed review

The ISE also performed a review.

Details of the reviews are available on request.

draft-dukhovni-tls-dnssec-chain has been brought to the ISE for
publication as an Experimental RFC on the Independent Submission Stream.

==Purpose==

This document describes an experimental TLS extension for in-band
transport of the complete set of DNSSEC validated records needed to
perform DANE authentication of a TLS server. The document is published
to allow interoperable experimental implementations and to gather
feedback on whether the approach works and is useful.

==History==

This document was originally processed by the TLS WG. There was late
feedback questioning whether it would be effective and wondering about
the threat model it addressed. That discussion got very heated and
acrimonious, and the WG failed to reach any consensus and it seemed that
there was no further energy to attempt consensus. The proponents of
various deployment models were advised (by the TLS chairs) to seek
publication of independent documents for the given use cases via ISE or
other venues.

The ISE consulted with the Sec ADs and TLS chairs to find out whether
this work should be done within the TLS WG. They confirmed this view and
suggested that the path through the working group was "blocked".

==Not the IETF==

The Abstract and Introduction are clear that this work was developed
outside the IETF.

==Scope of the Experiment==

This document has a dedicated section (1.1) to describe the scope of the
experiment. That section clearly notes the concerns raised in the TLS
working group.

==IANA==

This document requests a code point from the TLS ExtensionType Values
registry https://www.iana.org/assignments/tls-extensiontype-values.
That registry is "Specification Required" which will be covered by this
document if published on the Independent Submissions Stream.

The assignment request suggests that the codepoint be marked as
Recommended = "No" which is appropriate for a non-IETF document.

The authors need to respond to me about RFC 8447 Section 17 <<<<<<<<<<<<<<<<<<<<<<<<

==Reviews==

Reviews were initially hard to find. Many people considered themselves
compromised by either their support of or opposition to the draft and
declined to give a review. Ultimately, reviews were performed for the
ISE as follows:

- Nico Williams : positive, but no detailed comments

- Stephen Farrell : small comments

- Shane Kerr : detailed review

- Matthijs Mekking : detailed review

The ISE also performed a review.

Details of the reviews are available on request.