Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

>Alec, would you care to explain >the differences on the IANA >considerations between this >draft and the P2PNames draft Woo! I'm honoured, but I am a considerably less IANA-informed schmuck than you take me for. :-) I've been heads-down in Tor and the wider Tor community for some time now, a

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/24/15 20:03, Alec Muffett wrote: > Hi Hellekin! > > I would agree that leak avoidance is “a major” rather than “the prime” > point of having .onion reserved as a TLD. > *** Agreed. I came from the privacy side of the arguments, which tends to

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

Hi Hellekin! I would agree that leak avoidance is “a major” rather than “the prime” point of having .onion reserved as a TLD. There are many good reasons for reserving “.onion” as a TLD, including but not limited to: - avoiding leaks (above) - not wasting resource on trying to resolve the “.oni

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/23/15 10:31, Andrew Sullivan wrote: > > if somehow the onion name leaked and ended up in the DNS, it's not a > big deal > *** Well, although you're right as far as *applications* are concerned, this is still a big deal because humans are using

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

On 03/23/2015 02:31 PM, Andrew Sullivan wrote: [snip]. > It might be worth adding a sentence or two after the list in section 2 > to that effect. Perhaps, "It is important to note that any > contamination of DNS caches with onion names cannot have a negative > affect on any correctly-operating so

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

First, sorry, I don't know why I wrote "section 4"; this is section 2, but I think you understood me. On Mon, Mar 23, 2015 at 12:57:53PM +, Alec Muffett wrote: > a) the software in question is talking to a Tor proxy which acts as a > gateway to the Tor network (and to the rest of the internet-

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

Hi Andrew, If I understand your question correctly, you are asking whether in the instance that a DNS server receives and caches a NXDOMAIN for some/all .onion, whether that could impact software which uses Tor? Software which uses Tor does so via a proxy which internally performs the resolution

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

>To begin with, in general I think this document is on the right path >and something very close to it should be published. It's >narrowly-focussed, Agreed. Let's do these special case TLDLTs (top level domain like things) one at a time unless there's a group with identical technical and usage i

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

On Sat, Mar 21, 2015 at 6:12 PM, Andrew Sullivan wrote: > Dear colleagues, > > On Mon, Mar 16, 2015 at 10:16:37PM +, Jacob Appelbaum wrote: > >> I realized after uploading that I hadn't sent this along for discussion. > >> > Name: draft-appelbaum-dnsop-onion-tld > > I've read th

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

Dear colleagues, On Mon, Mar 16, 2015 at 10:16:37PM +, Jacob Appelbaum wrote: > I realized after uploading that I hadn't sent this along for discussion. > > Name: draft-appelbaum-dnsop-onion-tld I've read this draft. I have a few comments. To begin with, in general I think t

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

On 3/17/15 8:11 PM, Andrew Sullivan wrote: > On Tue, Mar 17, 2015 at 12:59:25PM -0400, Richard Barnes wrote: If an application does not implement tor, and is not tor aware, it _will_ do a DNS lookup. You can't really go ask the world to stop doing that. You need to deal with tha

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

On 3/17/15, 21:53, "Richard Barnes" wrote: >The only nit I would pick with the above is that it's perfectly possible >to *specify* what should be done, but of course one should not expect >that to instantly change everyone's behavior. A preamble - I don't think what is "perfectly possible" matte

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

On 03/17/2015 04:16 PM, Christian Grothoff wrote: > it's a Lex Facebook, just like reserving ".local" was a Lex Apple. I'm not > generally against those at all, but I personally dislike that IETF > passes things > quickly if they are backed by multi-billion dollar companies, The reservation of “

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

On 17 March 2015 at 10:49, David Conrad wrote: >> On 17 March 2015 at 10:36, David Cake wrote: >> >> I'm generally in favour of this proposal. > > +1 I also support this draft. CA issuance for .onion post-October is dependent on this draft, and external reliance on an RFC (or lack of RFC) by so

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

On Tue, Mar 17, 2015 at 9:11 PM, Andrew Sullivan wrote: > On Tue, Mar 17, 2015 at 12:59:25PM -0400, Richard Barnes wrote: > > > > > > > >If an application does not implement tor, and is not tor aware, it > > > >_will_ do a DNS lookup. You can't really go ask the world to stop > > > >doing that. Y

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

On Tue, Mar 17, 2015 at 12:59:25PM -0400, Richard Barnes wrote: > > > > > >If an application does not implement tor, and is not tor aware, it > > >_will_ do a DNS lookup. You can't really go ask the world to stop > > >doing that. You need to deal with that fact. > > > > The entire point of the spe

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

(cc:s trimmed) On Tue, Mar 17, 2015 at 04:16:02PM +0100, Christian Grothoff wrote: > it's a Lex Facebook, just like reserving ".local" was a Lex Apple. I'm not > generally against those at all, but I personally dislike that IETF > passes things > quickly if they are backed by multi-billion dollar

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/17/15 19:10, Ted Lemon wrote: > > The problem is that there is more than one such string, and consensus depends on > the least popular string listed. > *** RFC 6761 reserves multiple in-addr.arpa. domains, example under three TLDs, plus .test.

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

On Mar 17, 2015, at 5:37 PM, hellekin wrote: >> What benefit does tying a bunch of unrelated strings together bring >> in arguing for Special Name status? >> > *** I know you already replied that you already commented the P2PNames > draft, but frankly my response should be pasting the whole Intro

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/17/15 18:28, David Conrad wrote: > > What benefit does tying a bunch of unrelated strings together bring > in arguing for Special Name status? > *** I know you already replied that you already commented the P2PNames draft, but frankly my resp

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

On Mar 17, 2015, at 1:16 PM, Ted Lemon wrote: > On Mar 17, 2015, at 3:15 PM, Rubens Kuhl wrote: >> so the point for a .onion-specific work instead of it becoming part of a >> larger effort still escapes me. > > It's easier to get consensus on one thing than on many. +1 What benefit does tying

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

On Mar 17, 2015, at 3:15 PM, Rubens Kuhl wrote: > so the point for a .onion-specific work instead of it becoming part of a > larger effort still escapes me. It's easier to get consensus on one thing than on many. ___ DNSOP mailing list DNSOP@ietf.org

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

uffett mailto:al...@fb.com>> Cc: dnsop mailto:dnsop@ietf.org>> Subject: Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt The ballot explicitly calls .onion an specified non-internal name, so whether the IETF defines that as non-delegatable doesn't really seem t

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

> On Mar 17, 2015, at 4:36 PM, Alec Muffett > wrote: > > Hi Ruben, > > As I think you’ll see from the document, in our seeking classification of > “.onion” in the “special use domains registry” under the terms governing that > space, I think it’s fair for me to say that N

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

“concrete” rather than “alleged” time sensitivity. - alec From: Rubens Kuhl mailto:rube...@nic.br>> Date: Tuesday, March 17, 2015 at 7:15 PM To: Alec Muffett mailto:al...@fb.com>> Cc: dnsop mailto:dnsop@ietf.org>> Subject: Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

> On Mar 17, 2015, at 4:01 PM, Alec Muffett > wrote: > > Hi Rubens! > > On 3/17/15, 6:34 PM, "Rubens Kuhl" mailto:rube...@nic.br>> > wrote: > >>> >> And where in this ballot is there a need for explicit reserving of >> .onion, since CAs already know they shouldn't try us

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

Hi Rubens! On 3/17/15, 6:34 PM, "Rubens Kuhl" wrote: >> >And where in this ballot is there a need for explicit reserving of >.onion, since CAs already know they shouldn't try using DNS in the >process of verifying a .onion certificate ? If I correctly understand the direction of your question,

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

> On Mar 17, 2015, at 3:02 PM, Alec Muffett wrote: > > Rubens, allow me please to direct your attention to: > > > > https://cabforum.org/2015/02/18/ballot-144-validation-rules-dot-onion-names > / > And where in this ballot is there a need for explicit reserving of .onion, since CAs already

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

> On 18 Mar 2015, at 1:49 am, David Conrad wrote: >> As per that document, ICANN security team have been among the groups >> pressuring to have the local namespaces loophole closed for at least a >> couple of years now. And the problem has scuttled some gTLD applications >> that are regar

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

for draft-appelbaum-dnsop-onion-tld-00.txt [snip]. > Applications that do not implement the Tor protocol > SHOULD generate an error upon the use of .onion, and SHOULD NOT > perform a DNS lookup. > >If an application does not implement tor, and is not tor aware, it &

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

Rubens, allow me please to direct your attention to: https://cabforum.org/2015/02/18/ballot-144-validation-rules-dot-onion-names / Aside: EV certificates are what will be issued for Onion addresses, even wildcard onion address certificates, for reasons explained on the Ballot. - alec On

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

Hi, > More details on the dangers associated with these certificates in the > context of an active gTLD expansion especially in ICANN SSAC document SSAC057 > https://www.icann.org/en/system/files/files/sac-057-en.pdf > Yes. >

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

> On 17 Mar 2015, at 10:55 pm, Alec Muffett wrote: >> How does the certificate "dead line" affect (non-)DNS for .onion? > > Permit me to quote Brad Hill: > > Quote: "The end date for the internal names loophole* is October - all > public certs [which are issued] not for public namespaces MUST b

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

Considering .onion is a non-resolving TLD, how would a CA issue a certificate for a .onion name that they can't verify whether the requester is the administrator of that service ? DV certificates can use lots of mechanisms to verify that, but is one of them feasible for CAs to use ? Rubens

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

Alec, On Mar 17, 2015, at 9:20 AM, Alec Muffett wrote: > Christian’s response clearly distinguishes the separateness of Jake & my > document "draft-appelbaum-dnsop-onion-tld-00.txt” from his > “draft-grothoff-iesg-special-use-p2p-names”. Yes. Hopefully, a revised version of draft-grothoff will b

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

On 3/17/15 4:20 PM, Alec Muffett wrote: Before this discussion becomes derailed by discussion of the strategies of the contents of other proposals, I would like to round this discussion back to the matter of the draft-appelbaum-dnsop-onion-tld-00.txt document: Christian’s response clearly dis

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

Not being on DNSOP, I may be missing context here, but this exchange jumped out at me as especially wrong: > Applications that do not implement the Tor protocol > > SHOULD generate an error upon the use of .onion, and SHOULD NOT > > perform a DNS lookup. > > > >If an application

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

Hellekin, > On Mar 17, 2015, at 9:09 AM, hellekin wrote: >> My personal observation is that one of the problems with your draft > *** Maybe you should direct comments on the P2PNames draft to the > P2PNames conversation. Your comment suggests that the Introduction > section of the draft did not

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

Before this discussion becomes derailed by discussion of the strategies of the contents of other proposals, I would like to round this discussion back to the matter of the draft-appelbaum-dnsop-onion-tld-00.txt document: Christian’s response clearly distinguishes the separateness of Jake & my doc

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/17/15 12:58, David Conrad wrote: > > I doubt arguments of this nature are particular helpful. > *** I feel obliged to reflect this to you. > My personal observation is that one of the problems with your draft > *** Maybe you should direct com

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

Hi, > On Mar 17, 2015, at 8:16 AM, Christian Grothoff wrote: > I'm not generally against those at all, but I personally dislike that IETF > passes things quickly if they are backed by multi-billion dollar companies, > while putting > up high hurdles (and delays are obstacles) for proposals that

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

On 03/17/2015 03:55 PM, Alec Muffett wrote: > The reason I am not more emphatic in this matter is that the question > as-phrased is essentially about *that* document, not this one, and I do > not speak for or on behalf of Christian Grothoff, author of that document. > > Thus, I shall cc: Christian

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

, "Paul Wouters" wrote: >On Mon, 16 Mar 2015, Jacob Appelbaum wrote: >> Subject: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt > >Is this meant to replace or augment >draft-grothoff-iesg-special-use-p2p-names ? My understanding is that this is not meant t

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/16/15 23:20, Paul Wouters wrote: > > It seems odd that two documents would be requesting an IANA action for > ".onion" ? > *** Well yes, it sounds like a mistake to me. But we can also consider it a god-given gift for people who argued agains

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

On Mon, 16 Mar 2015, hellekin wrote: Is this meant to replace or augment draft-grothoff-iesg-special-use-p2p-names ? *** This draft only covers .onion, one of the two pTLDs related to the Tor Project in the P2PNames draft, so the obvious answer is that it won't replace it. Now the P2PNames dr

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/16/15 22:14, Paul Wouters wrote: > On Mon, 16 Mar 2015, Jacob Appelbaum wrote: > >> Subject: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt > > Is this meant to replace or augment > draft-grothoff-iesg-

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

On Mon, 16 Mar 2015, Jacob Appelbaum wrote: Subject: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt Is this meant to replace or augment draft-grothoff-iesg-special-use-p2p-names ? - most importantly is the date October 1st. On that date we'll have a death day for curr

[DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

Hi, I realized after uploading that I hadn't sent this along for discussion. Hopefully it is a topic of discussion in Dallas. Tor's onion names are widely deployed and used by lots of folks all around the world. Our deployment size isn't news or really much of a discussion point - rather, I'm pr