Use Cases and Requirements for DNS-Based Authentication of Named Entities (DANE)
draft-ietf-dane-use-cases-05
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
05 | (System) | post-migration administrative database adjustment to the No Objection position for Dan Romascanu |
2011-09-13
|
05 | Amy Vezza | State changed to RFC Ed Queue from Approved-announcement sent. |
2011-09-12
|
05 | (System) | IANA Action state changed to No IC from In Progress |
2011-09-12
|
05 | (System) | IANA Action state changed to In Progress |
2011-09-12
|
05 | Amy Vezza | IESG state changed to Approved-announcement sent |
2011-09-12
|
05 | Amy Vezza | IESG has approved the document |
2011-09-12
|
05 | Amy Vezza | Closed "Approve" ballot |
2011-09-12
|
05 | Stephen Farrell | Approval announcement text changed |
2011-09-12
|
05 | Stephen Farrell | Approval announcement text regenerated |
2011-09-11
|
05 | Dan Romascanu | [Ballot Position Update] Position for Dan Romascanu has been changed to No Objection from Discuss |
2011-09-09
|
05 | Stephen Farrell | Ballot writeup text changed |
2011-09-09
|
05 | Stephen Farrell | Ballot writeup text changed |
2011-09-09
|
05 | Stephen Farrell | Ballot writeup text changed |
2011-09-09
|
05 | Stephen Farrell | Ballot writeup text changed |
2011-08-25
|
05 | Cindy Morgan | Removed from agenda for telechat |
2011-08-25
|
05 | Cindy Morgan | State changed to IESG Evaluation::AD Followup from IESG Evaluation. |
2011-08-25
|
05 | Dan Romascanu | [Ballot comment] Having acronyms (PKIX, AAAA, XMPP, etc. ) expanded at first occurence would increase the readability of the document |
2011-08-25
|
05 | Dan Romascanu | [Ballot discuss] Before I can add my support to this well-written document I would like the author to address the following issue raised in the … [Ballot discuss] Before I can add my support to this well-written document I would like the author to address the following issue raised in the DNS-DIR review by Peter Koch: I have a concern regarding the repeated use of the term "domain holder" throughout the document. In the introduction it says With the advent of DNSSEC [RFC4033], it is now possible for DNS name resolution to provide its information securely, in the sense that clients can verify that DNS information was provided by the domain holder and not tampered with in transit. [...] where the first conclusion simply isn't true. All that DNSSEC provides is data origin authentication with the origin being the DNS zone. DNSSEC dos not help to identify the party applying or authorizing entries into that zone. Later on, section 3.3 correctly makes that distinction: By the same token, this use case puts the most power in the hands of DNS operators. Since the operator of the appropriate DNS zone has de facto control over the content and signing of the zone, he can create false DANE records that bind a malicious party's certificate to a domain. This risk is especially important to keep in mind in cases where the operator of a DNS zone is a different entity than the holder of the domain, as in DNS hosting/outsourcing arrangements, since in these cases the DNS operator might be able to make changes to a domain that are not authorized by the holder of the domain. However, it's not only a malicious operator that can interfere. Nowhere does it say that the operator has specific duties to verify or validate DANE information before entering data into the zone. Negligence or malice don't make a difference. The fact that the zone is DNSSEC signed does not change that since the only meaning of the RRSIGs is that the zone operator attests the data was present as signed. Also "domain holder" is usually understood as equivalent to a registrant, meaning someone who registered a 2nd (or 3rd, where applicable) domain name. It is not obvious how to apply this logic to nodes further down the tree. |
2011-08-25
|
05 | Dan Romascanu | [Ballot Position Update] New position, Discuss, has been recorded |
2011-08-24
|
05 | David Harrington | [Ballot comment] good draft. multiple typos need correcting; I assume rfc editor will fix them. |
2011-08-24
|
05 | David Harrington | [Ballot Position Update] New position, No Objection, has been recorded |
2011-08-24
|
05 | Russ Housley | [Ballot comment] Please consider the comments from the Gen-ART Review by Alexey Melnikov on 8-Jul-2011. |
2011-08-24
|
05 | Russ Housley | [Ballot Position Update] New position, No Objection, has been recorded |
2011-08-24
|
05 | Stewart Bryant | [Ballot Position Update] New position, No Objection, has been recorded |
2011-08-24
|
05 | Pete Resnick | [Ballot comment] My hesitancy to put a "Yes" on this document is exactly the opposite of Jari's: I think this document bends over backwards far … [Ballot comment] My hesitancy to put a "Yes" on this document is exactly the opposite of Jari's: I think this document bends over backwards far too much in section 3.3 to preserve traditional root CAs. Indeed, I would have much preferred if the use cases *started* with 3.3 and ended with 3.1, as I think 3.3 is the much more interesting use case. As stated in the last paragraph of 3.3, DNS ops are already trusted more than than root CAs, as a malicious DNS operator can already obtain a root CA signed cert for domains that they control, so as a domain owner I currently need to trust two entities. Better in the long run that I trust one (the DNS op), and all the better that I can be my own DNS op and be in charge of my own certs. I am fully in favor of this effort. I only wish this document did less kowtowing to the current CA model. |
2011-08-24
|
05 | Pete Resnick | [Ballot Position Update] New position, No Objection, has been recorded |
2011-08-24
|
05 | Jari Arkko | [Ballot comment] I would support this document with a Yes position otherwise, but I'm a bit hesitant on the ability to *replace* (not just add … [Ballot comment] I would support this document with a Yes position otherwise, but I'm a bit hesitant on the ability to *replace* (not just add to) the traditional root certificate operators by DNS operators. Its not clear that I trust the DNS operators any more than I trust the root CAs... (and besides, they are often the same guys), so this flexibility seems to add potential vulnerabilities to bid down to the least trusted DNS/CA operator. |
2011-08-24
|
05 | Jari Arkko | [Ballot Position Update] New position, No Objection, has been recorded |
2011-08-24
|
05 | Adrian Farrel | [Ballot Position Update] New position, No Objection, has been recorded |
2011-08-24
|
05 | Sean Turner | [Ballot comment] I'm glad that Eve's and Mallory's already precarious reputations were not further denigrated by this draft. |
2011-08-24
|
05 | Sean Turner | [Ballot Position Update] New position, Yes, has been recorded |
2011-08-23
|
05 | Robert Sparks | [Ballot Position Update] New position, No Objection, has been recorded |
2011-08-22
|
05 | Ron Bonica | [Ballot Position Update] New position, No Objection, has been recorded |
2011-08-22
|
05 | Peter Saint-Andre | [Ballot comment] I strongly support publication of this document. I have one comment of substance: Section 2 states that "multiple servers ... may be co-located … [Ballot comment] I strongly support publication of this document. I have one comment of substance: Section 2 states that "multiple servers ... may be co-located on a single physical host, using different ports". If I understand this statement correctly, I think the part about different ports applies to some application protocols (e.g., HTTP) but not to all application protocols. Perhaps "often using different ports" would be more accurate? Also, it would be good to fix the minor but annoying typographical errors that have crept into the document ("ciertificate", "case a denial of service", "Section Section", etc.). |
2011-08-22
|
05 | Peter Saint-Andre | [Ballot Position Update] New position, Yes, has been recorded |
2011-08-21
|
05 | Wesley Eddy | [Ballot Position Update] New position, Yes, has been recorded |
2011-08-11
|
05 | Stephen Farrell | Placed on agenda for telechat - 2011-08-25 |
2011-08-11
|
05 | Stephen Farrell | State changed to IESG Evaluation from Waiting for AD Go-Ahead. |
2011-08-11
|
05 | Stephen Farrell | [Ballot Position Update] New position, Yes, has been recorded for Stephen Farrell |
2011-08-11
|
05 | Stephen Farrell | Ballot has been issued |
2011-08-11
|
05 | Stephen Farrell | Created "Approve" ballot |
2011-08-11
|
05 | Stephen Farrell | Ballot writeup text changed |
2011-08-05
|
05 | Samuel Weiler | Request for Last Call review by SECDIR Completed. Reviewer: Charlie Kaufman. |
2011-07-28
|
05 | (System) | New version available: draft-ietf-dane-use-cases-05.txt |
2011-07-19
|
05 | (System) | State changed to Waiting for AD Go-Ahead from In Last Call. |
2011-07-14
|
05 | Amanda Baber | [Note]: 'Ond?ej Sur� (ondrej.sury@nic.cz) is the Document Shepherd.' added by Amanda Baber |
2011-07-14
|
05 | Amanda Baber | We understand that this document doesn't require any IANA actions. |
2011-07-09
|
05 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Charlie Kaufman |
2011-07-09
|
05 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Charlie Kaufman |
2011-07-05
|
05 | Amy Vezza | Last call sent |
2011-07-05
|
05 | Amy Vezza | State changed to In Last Call from Last Call Requested. The following Last Call Announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: … State changed to In Last Call from Last Call Requested. The following Last Call Announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Subject: Last Call: (Use Cases and Requirements for DNS-based Authentication of Named Entities (DANE)) to Informational RFC The IESG has received a request from the DNS-based Authentication of Named Entities WG (dane) to consider the following document: - 'Use Cases and Requirements for DNS-based Authentication of Named Entities (DANE)' as an Informational RFC The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2011-07-19. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract Many current applications use the certificate-based authentication features in TLS to allow clients to verify that a connected server properly represents a desired domain name. Traditionally, this authentication has been based on PKIX trust hierarchies, rooted in well-known CAs, but additional information can be provided via the DNS itself. This document describes a set of use cases in which the DNS and DNSSEC could be used to make assertions that support the TLS authentication process. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-dane-use-cases/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-dane-use-cases/ No IPR declarations have been submitted directly on this I-D. |
2011-07-04
|
05 | Stephen Farrell | Last Call was requested |
2011-07-04
|
05 | Stephen Farrell | State changed to Last Call Requested from Publication Requested. |
2011-07-04
|
05 | Stephen Farrell | Last Call text changed |
2011-07-04
|
05 | (System) | Ballot writeup text was added |
2011-07-04
|
05 | (System) | Last call text was added |
2011-07-04
|
05 | (System) | Ballot approval text was added |
2011-07-01
|
05 | Amy Vezza | (1.a) Who is the Document Shepherd for this document? Has the Document Shepherd personally reviewed this version of the document and, in particular, does he … (1.a) Who is the Document Shepherd for this document? Has the Document Shepherd personally reviewed this version of the document and, in particular, does he or she believe this version is ready for forwarding to the IESG for publication? Ond?ej Surý is the Document Shepherd. I have personally reviewed the document and I believe it is ready for publication. (1.b) Has the document had adequate review both from key WG members and from key non-WG members? Does the Document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? The document has been reviewed by both key DANE WG participants and also by members of DNS and PKIX communities. There is no concern about the reviews. (1.c) Does the Document Shepherd have concerns that the document needs more review from a particular or broader perspective, e.g., security, operational complexity, someone familiar with AAA, internationalization or XML? The Document Shepherd doesn't have any concerns. (1.d) Does the Document Shepherd have any specific concerns or issues with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. Has an IPR disclosure related to this document been filed? If so, please include a reference to the disclosure and summarize the WG discussion and conclusion on this issue. Responsible Area Director and the IESG should be aware of that some WG members has expressed concern about a use case where the future-to-be DANE protocol can be used without DNSSEC, e.g. use DNS responses which has not been signed and/or validated by DNSSEC. However there was a rough consensus in the WG that it's OK for the use cases document to describe the security implications of not using DNSSEC, leaving the final decision on support for the protocol document. The WG chairs and the document author supports this view reached by rough consensus. (1.e) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? There is a strong consensus on this document by the active WG members with notable exception as outlined in (1.d) where only rough consensus was reached. (1.f) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is entered into the ID Tracker.) None. (1.g) Has the Document Shepherd personally verified that the document satisfies all ID nits? (See the Internet-Drafts Checklist and http://tools.ietf.org/tools/idnits/). Boilerplate checks are not enough; this check needs to be thorough. Has the document met all formal review criteria it needs to, such as the MIB Doctor, media type and URI type reviews? The document has been reviewed manually against ID Checklist Revision 1.9 and automatically with idnits 2.12.12. (1.h) Has the document split its references into normative and informative? Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the strategy for their completion? Are there normative references that are downward references, as described in [RFC3967]? If so, list these downward references to support the Area Director in the Last Call procedure for them [RFC3967]. The document splits the references. There is no downward reference in the normative reference. (1.i) Has the Document Shepherd verified that the document IANA consideration section exists and is consistent with the body of the document? If the document specifies protocol extensions, are reservations requested in appropriate IANA registries? Are the IANA registries clearly identified? If the document creates a new registry, does it define the proposed initial contents of the registry and an allocation procedure for future registrations? Does it suggest a reasonable name for the new registry? See [RFC5226]. If the document describes an Expert Review process has Shepherd conferred with the Responsible Area Director so that the IESG can appoint the needed Expert during the IESG Evaluation? Yes. IANA consideration section exists in the document, but no action is required. (1.j) Has the Document Shepherd verified that sections of the document that are written in a formal language, such as XML code, BNF rules, MIB definitions, etc., validate correctly in an automated checker? The document contains no formal language. (1.k) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up? Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary Many current applications use the certificate-based authentication features in TLS to allow clients to verify that a connected server properly represents a desired domain name. Traditionally, this authentication has been based on PKIX trust hierarchies, rooted in well-known CAs, but additional information can be provided via the DNS itself. This document describes a set of use cases in which the DNS and DNSSEC could be used to make assertions that support the TLS authentication process. Working Group Summary Was there anything in WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough? The DANE WG has been asked at the IETF80 meeting in Prague to write the use cases document before it continue the work on the DANE protocol draft. The draft has been discussed in the DANE WG mailing list and has a strong consensus in the WG for publication as an informational RFC with notable exception of controversy about allowing to use DNS responses not validated by DNSSEC in one of the use cases. The rough consensus is that this is still a valid use case and the issue will be addressed and resolved in the DANE protocol draft. Document Quality Are there existing implementations of the protocol? Have a significant number of vendors indicated their plan to implement the specification? Are there any reviewers that merit special mention as having done a thorough review, e.g., one that resulted in important changes or a conclusion that the document had no substantive issues? If there was a MIB Doctor, Media Type or other expert review, what was its course (briefly)? In the case of a Media Type review, on what date was the request posted? This document was reviewed by various people and has been through WGLC successfully. |
2011-07-01
|
05 | Amy Vezza | Draft added in state Publication Requested |
2011-07-01
|
05 | Amy Vezza | [Note]: 'Ond?ej Surý (ondrej.sury@nic.cz) is the Document Shepherd.' added |
2011-06-29
|
04 | (System) | New version available: draft-ietf-dane-use-cases-04.txt |
2011-06-12
|
03 | (System) | New version available: draft-ietf-dane-use-cases-03.txt |
2011-04-29
|
02 | (System) | New version available: draft-ietf-dane-use-cases-02.txt |
2011-04-22
|
01 | (System) | New version available: draft-ietf-dane-use-cases-01.txt |
2011-04-20
|
00 | (System) | New version available: draft-ietf-dane-use-cases-00.txt |