gnunet-svn
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lsd0001] branch master updated: more feedback integrated

From: gnunet
Subject: [lsd0001] branch master updated: more feedback integrated
Date: Thu, 05 May 2022 16:26:14 +0200 
This is an automated email from the git hooks/post-receive script.

martin-schanzenbach pushed a commit to branch master
in repository lsd0001.

The following commit(s) were added to refs/heads/master by this push:
     new 8e684c5  more feedback integrated
8e684c5 is described below

commit 8e684c59d2ba8cd839be2a0bbf21201aec3f910b
Author: Martin Schanzenbach <schanzen@gnunet.org>
AuthorDate: Thu May 5 16:26:10 2022 +0200

    more feedback integrated
---
 draft-schanzen-gns.xml | 40 +++++++++++++++++++++++++++++++---------
 rs_review_202204.txt   | 28 ++++++++++++++++++----------
 2 files changed, 49 insertions(+), 19 deletions(-)

diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index e0b38de..50f71cd 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -14,6 +14,7 @@
 <!ENTITY RFC5869 PUBLIC '' 
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.5869.xml";>
 <!ENTITY RFC5890 PUBLIC '' 
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.5890.xml";>
 <!ENTITY RFC5895 PUBLIC '' 
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.5895.xml";>
+<!ENTITY RFC6066 PUBLIC '' 
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.6066.xml";>
 <!ENTITY RFC6234 PUBLIC '' 
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.6234.xml";>
 <!ENTITY RFC6761 PUBLIC '' 
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.6761.xml";>
 <!ENTITY RFC6895 PUBLIC '' 
"http://xml.resource.org/public/rfc/bibxml/reference.RFC.6895.xml";>
@@ -450,8 +451,8 @@
    <section anchor="zones" numbered="true" toc="default">
      <name>Zones</name>
      <t>
-       A zone master implementation <bcp14>SHOULD</bcp14> enable the user to
-       create and manage zones.
+       A zone master implementation <bcp14>SHOULD</bcp14> enable the zone
+       owners to create and manage zones.
        If this functionality is not implemented, names can still be resolved
        if zone keys for the initial step in the name resolution are available
        (see <xref target="resolution"/>).
@@ -535,6 +536,8 @@
        document.
        All ztypes <bcp14>MUST</bcp14> be registered as dedicated zone 
delegation
        record types in the GNU Name System Record Types registry (see <xref 
target="gana"/>).
+       When defining new record types the cryptographic security considerations
+       of this document apply, in particular <xref 
target="security_cryptography"/>.
      </t>
      <section anchor="zTLD" numbered="true" toc="default">
        <name>Zone Top-Level Domain</name>
@@ -568,7 +571,10 @@
        <artwork name="" type="" align="left" alt=""><![CDATA[
 zTLD := Base32GNS-Encode(ztype||zkey)
 ztype||zkey := Base32GNS-Decode(zTLD)
-    ]]></artwork>
+         ]]></artwork>
+       <t>
+         where "||" is the concatenation operator.
+       </t>
        <t>
          The zTLD can be used as-is as a rightmost label in a GNS name.
          If an application wants to ensure DNS compatibility of the name,
@@ -589,7 +595,7 @@ ztype||zkey := Base32GNS-Decode(zTLD)
        <!-- FIXME: Is this really really necessary? Really? -->
        <artwork name="" type="" align="left" alt=""><![CDATA[
 zTLD[126..129].zTLD[63..125].zTLD[0..62]
-       ]]></artwork>
+         ]]></artwork>
    </section>
     <section anchor="revocation" numbered="true" toc="default">
        <name>Zone Revocation</name>
@@ -1016,6 +1022,14 @@ zTLD[126..129].zTLD[63..125].zTLD[0..62]
        There <bcp14>MAY</bcp14> be inactive records of the same type which have
        the SHADOW flag set in order to facilitate smooth key rollovers.
      </t>
+     <t>
+       In the following, "||" is the concatenation operator of two byte 
strings.
+       The algorithm specification uses character strings such as GNS labels or
+       constant values.
+       When used in concatenations or as input to functions the
+       null-terminator of the character strings <bcp14>MUST NOT</bcp14> be
+       included.
+     </t>
      <section anchor="gnsrecords_pkey" numbered="true" toc="default">
        <name>PKEY</name>
        <t>
@@ -1557,9 +1571,11 @@ S-Decrypt(zk,label,expiration,ciphertext):
          DNS name of the service to be transmitted over the transport protocol.
          In GNS, legacy host name records provide applications the DNS name 
that
          is required to establish a connection to such a service.
-         The most common use case is HTTP virtual hosting, where a DNS name 
must
-         be supplied in the HTTP "Host"-header.
-         Using a GNS name for the "Host"-header might not work as
+         The most common use case is HTTP virtual hosting and TLS Server Name
+         Indication <xref target="RFC6066"/>, where a DNS name must
+         be supplied in the HTTP "Host"-header and the TLS handshake,
+         respectively.
+         Using a GNS name in those cases might not work as
          it might not be globally unique. Furthermore, even if uniqueness is
          not an issue, the legacy service might not even be aware of GNS.
        </t>
@@ -1688,7 +1704,7 @@ S-Decrypt(zk,label,expiration,ciphertext):
    </section>
    </section>
    <section anchor="publish" numbered="true" toc="default">
-     <name>Record Storage</name>
+     <name>Record Encoding</name>
      <t>
        Any API which allows storing a value under a 512-bit key and retrieving
        one or more values from the key can be used by an implementation for 
record storage.
@@ -2450,6 +2466,12 @@ NICK: john (Supplemental)
        </section>
        <section anchor="security_cryptography" numbered="true" toc="default">
          <name>Cryptography</name>
+         <t>
+           The following considerations provide background on the design 
choices
+           of the ztypes specified in this document.
+           When specifying new ztypes as per <xref target="zones"/>, the same
+           considerations apply.
+         </t>
          <t>
            GNS PKEY zone keys use ECDSA over Ed25519.
            This is an unconventional choice,
@@ -2934,7 +2956,7 @@ Purpose | Name            | References | Comment
      <references>
        <name>Informative References</name>
          &RFC4033;
-       <!--  &RFC6781; -->
+         &RFC6066;
          &RFC7363;
          &RFC8324;
          &RFC8806;
diff --git a/rs_review_202204.txt b/rs_review_202204.txt
index 419dc0e..3b28856 100644
--- a/rs_review_202204.txt
+++ b/rs_review_202204.txt
@@ -33,8 +33,7 @@ Each definition might be more clear if the repetition of the 
term were omitted a
 
 In the "Name" definition, do you mean "applications MAY *require* that ... "?
 
-===== I think we could also formulate it like that. But that would be a 
normative statement for the application
-as opposed to a normative statement what the GNS impl. should expect.
+===== I think we could also formulate it like that. But that would be a 
normative statement for the application as opposed to a normative statement 
what the GNS impl. should expect. => No change.
 
 Using "Zone type" as the term for cipher and encoding seemed strange to me, 
why not "Zone Representation" or something shorter?  One or two examples before 
the terms, with text identifying the parts in the definition, would be helpful.
 
@@ -46,7 +45,7 @@ Sec 3, "cryptographically secured zones" is redundant, aren't 
all zones cryptogr
 
 Last sentence of first paragraph repeats the definition we just read.
 
-===== I don't think so.
+===== Unable to find this issue in the text itself.
 
 Second para "A zone can be populated by its owner with ..." A clarification 
that the distributed storage isn't required by the protocol would be useful.
 
@@ -54,21 +53,23 @@ Second para "A zone can be populated by its owner with ..." 
A clarification that
 
 The text introducing figure 2 makes me think it's going to show all the flows 
for a recursive resolution, and it is rather a high-level view.
 
-===== That is what the figure description sais and I think  this is enough for 
an "Overview".
+===== That is what the figure description sais and I think this is enough for 
an "Overview".
 
 Sec 4, which user creates and manages zones?  The Zone admin? The end-user?
 
-==== TODO
+==== Zone owners. Clarified.
 
 The forward ref to Section 5.1 should be before the list of algorithms in my 
opinion.
 
-==== TODO. After first review I disagree as it refers to the functions which 
are  introduced above.
+==== After review I disagree as it refers to the functions which are 
introduced above that text.
 
 Sec 4.1, maybe say "||" is the concatenation operator and that "[a..b]" is the 
semi-closed range from A to B-1
 
+==== Clarified the use of the operators.
+
 Sec 4.2, "strictly monotonically increasing order" I think monotonically is 
wrong.
 
-====== I am 95% sure that monotonically is correct when we talk about a 
function. Not sure about order.
+====== I am 99% sure that monotonically is correct and the important part.
 
 Sec 5, nice to block of IANA numbers for interop. Are timestamps in GNS always 
64bit microsec since 1/1/1970? Maybe add a definition or something at the top?
 
@@ -82,18 +83,23 @@ Sec 5.1.1, the crypto heart starts to appear. ;)  This all 
looks okay to me, and
 
 Sec 5.1.2, "highest 32 bytes" maybe "top-most"?  Nit.  SignDerived is clever.  
Consider asking CFRG to review the crypto in Sec 5.
 
+======= We could do that, but then again we had a review by djb already.
+
 Sec 5.2.1+5.2.2, have you thought of allowing multiple REDIRECT records to 
achieve some kind of load-balancing or other?
 
-======= Q: Maybe we want this? CNAME did not allow this, but it seems to be 
used in practice occasionally 
https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_07.htm#dns4-CHP-10-SECT-7.1
+======= This is a CNAME-derivative. It seems that CNAMEs do not support this 
either: 
https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_07.htm#dns4-CHP-10-SECT-7.1
 
 Sec 5.3.1, I would think TLS SNI value is also common for LEHO data.
 
+===== Added ref to RFC6066 SNI
+
 Sec 5.3.3, not unlike the new SVCB RR type?
 
+==== Yeah, bit is still draft status (?).
+
 Sec 6, is this whole storage strictly necessary for interop?  You could split 
it off into a separate document. There's not enough here to implement the 
storage. What happens to resolution if the GET() fails? I assume that's 
discussed.
 
-======= FIXME: We may want to consider renaming Section 6 and/or move it into 
a subsection of Section 5 as we do not really define the storage here.
-======= Record Wire Format / Record Encoding
+======= Renamed section to "Record Encoding" in order to avoid storage 
confusion.
 
 Sec 7, the application filters record sets.  Oh, that is *VERY* interesting.  
And that picture is starting to look familiar. Third time?
 
@@ -101,6 +107,8 @@ Sec 7.1+7.2+7.3 very nice, very clear, I could implement 
this (modulo the storag
 
 Sec 9.3 seems very important.  Somewhere up near the front you should 
forward-link to it.  And in the security considerations, backlink.
 
+===== Added.
+
 Sec 9.4, it's difficult because it requires law enforcement, etc., to get the 
private key?  Is that really so hard? https://xkcd.com/538/
 
 ==== No, because of the user-centric design for delegations. TODO: Clarify 
again in text?

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]