Skip to main content

Last Call Review of draft-ietf-openpgp-crypto-refresh-12
review-ietf-openpgp-crypto-refresh-12-dnsdir-lc-blacka-2023-11-16-00

Request Review of draft-ietf-openpgp-crypto-refresh
Requested revision No specific revision (document currently at 13)
Type Last Call Review
Team DNS Directorate (dnsdir)
Deadline 2023-11-19
Requested 2023-10-29
Authors Paul Wouters , Daniel Huigens , Justus Winter , Niibe Yutaka
I-D last updated 2023-11-16
Completed reviews Genart Last Call review of -12 by Linda Dunbar (diff)
Dnsdir Last Call review of -12 by David Blacka (diff)
Assignment Reviewer David Blacka
State Completed
Request Last Call review on draft-ietf-openpgp-crypto-refresh by DNS Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/dnsdir/UMXYOEooDmRk6PNhsNqT-bAUK-s
Reviewed revision 12 (document currently at 13)
Result Ready
Completed 2023-11-16
review-ietf-openpgp-crypto-refresh-12-dnsdir-lc-blacka-2023-11-16-00
As a DNS reviewer, I don't feel competent to review the cryptographic and
packet format content, which is 99.99% of this Internet-Draft.  I did read
through that content (skimmed? this draft is pretty long) and didn't notice
anything amiss.

The sole mention of DNS is in 5.2.3.24 "Notation Data", where it says:

> Names in the user namespace consist of a UTF-8 string tag followed by "@"
followed by a DNS domain name. Note that the tag MUST NOT contain an "@"
character. For example, the "sample" tag used by Example Corporation could be
"sample@example.com". > > Names in a user space are owned and controlled by the
owners of that domain. Obviously, it's bad form to create a new name in a DNS
space that you don't own. > > Since the user namespace is in the form of an
email address, implementers MAY wish to arrange for that address to reach a
person who can be consulted about the use of the named tag. Note that due to
UTF-8 encoding, not all valid user space name tags are valid email addresses.

This is clear on the surface -- if one is using a "user namespace" identifier,
it should look like an email address.  This is likely to be sufficient in
practice.  However, as a DNS person, one wonders what is meant by "DNS domain
name" *precisely*.  In particular, is it supposed to be an existing DNS domain
name?  Is it dangerous if not?  Are there limits on the length of the domain
name part (or the username part)?  How does "UTF-8" encoding mesh with standard
DNS domain name formats?  Do we expect the domain name part to be
"letters-digits-hyphens"? or can it be anything, differing from standard DNS
presentation format by UTF-8 encoding of non-ascii characters instead of
decimal encoding?

My guess is that what is meant is that the DNS domain name part of the
identifier is an existing (at the time) domain name that SHOULD be controlled
by the user. Saying it is existing (or did exist) brings along many
restrictions that then need not be stated.

These are very minor questions about a very minor part of this draft, however.