ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [mif] Last Call: <draft-ietf-mif-mpvd-arch-09.txt> (Multiple Provisioning Domain Architecture) to Informational RFC

2015-02-05 10:52:29
from [Markus Stenberg] [Permanent Link] 
On 5.2.2015, at 6.25, Dmitry Anipko <dmitry(_dot_)anipko(_at_)gmail(_dot_)com> 
wrote:

My reading is that there is a consensus to fix the name misspelling :-), but 
I could not quite read whether the PKI question got resolved. Markus, can you 
please comment whether the modification Ted worded would address your concern?


Sorry, I got sidetracked to writing security a audit document and never got 
back. We all have our guilty pleasures..

Anyway, haha ;) Guess we agree about something at least!


So final suggestion - get rid of DANE, get rid of TLS, and probably rework 
the text in that paragraph a bit to make it simpler. As-is, both DANE and 
TLS mention seem superfluous.

I'm skeptical about this--I think it's good to mention DANE.   DNSSEC is in 
effect a PKI, but it's quite a bit different than the other common PKI 
example.   How about "a PKI, for example DNSSEC/DANE or X.509?"   That way we 
don’t lose the mention of DNSSEC, but keep it open to other PKIs.


If simplification is not desired, I guess we can work that in too.

DANE is just about binding a (DNS) label + port + protocol using various 
selectors to a X.509 certificate (either CA or end node one).

Text in question:

   If authentication is done using a public key mechanism such as a TLS
   certificate or DANE, authentication by itself is not enough since
   theoretically any PvD could be authenticated in this way.  In
   addition to authentication, the node would need configuration to
   …

I am not sure where this DNS label + port + protocol combination would be 
derived from this case, but admittedly (say) using DHCPv6 or something might 
make sense in this case.

So.. my proposed version:

   If authentication is done using a public key mechanism such as 
   PKI certificate chain validation or DANE, authentication by itself is not 
enough since
   theoretically any PvD could be authenticated in this way.  In
   addition to authentication, the node would need configuration to

As the text talks of public key authentication mechanisms, I think PKI 
certificate chain validation and DANE both qualify. The old text’s ’TLS 
certificate’ is just weird to me, although I understand the idea is 
fundamentally the same.

Cheers,

-Markus
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [mif] Last Call: <draft-ietf-mif-mpvd-arch-09.txt> (Multiple Provisioning Domain Architecture) to Informational RFC, Dmitry Anipko
Next by Date:  Re: Naive question on multiple TCP/IP channels, Phillip Hallam-Baker
Previous by Thread:  Re: [mif] Last Call: <draft-ietf-mif-mpvd-arch-09.txt> (Multiple Provisioning Domain Architecture) to Informational RFC, Dmitry Anipko
Next by Thread:  Re: [Gen-art] Gen-ART LC review for draft-ietf-drinks-spp-framework-09, Jari Arkko
Indexes:  [Date] [Thread] [Top] [All Lists]