[Cfrg] DANE in the IETF (was: Re: considering new topics for CFRG)

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 08 January 2014 19:22 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id C2BCB1ADFA6 for <cfrg@ietfa.amsl.com>; Wed, 8 Jan 2014 11:22:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id gJVWl0i9oEMO for <cfrg@ietfa.amsl.com>; Wed, 8 Jan 2014 11:22:03 -0800 (PST)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id E56021ADF59 for <cfrg@irtf.org>; Wed, 8 Jan 2014 11:22:02 -0800 (PST)
Received: from [] (50-1-51-230.dsl.dynamic.fusionbroadband.com []) (authenticated bits=0) by hoffman.proper.com (8.14.7/8.14.7) with ESMTP id s08J1t4Z085664 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 8 Jan 2014 12:01:56 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 50-1-51-230.dsl.dynamic.fusionbroadband.com [] claimed to be []
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <3C4AAD4B5304AB44A6BA85173B4675CABA9A1154@MSMR-GH1-UEA03.corp.nsa.gov>
Date: Wed, 08 Jan 2014 11:21:43 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <F4E3175C-5C58-4C4C-89A2-5AB247D0D574@vpnc.org>
References: <52C755AA.70200@cisco.com> <33E0BF53-A331-4646-B080-FD4F6E13916E@ieca.com> <52CD314B.2000604@cisco.com> <3C4AAD4B5304AB44A6BA85173B4675CABA9A1154@MSMR-GH1-UEA03.corp.nsa.gov>
To: "Igoe, Kevin M." <kmigoe@nsa.gov>
X-Mailer: Apple Mail (2.1827)
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: [Cfrg] DANE in the IETF (was: Re: considering new topics for CFRG)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2014 19:22:04 -0000

On Jan 8, 2014, at 10:15 AM, Igoe, Kevin M. <kmigoe@nsa.gov> wrote:

> I'd like to see the CFRG investigate how far the DANE paradigm
> can be pushed w/o bringing the system to a screeching halt.
> For example, there is a group an NIST looking at the possibility
> of leveraging DANE for use with e-mail.

You mean like with draft-ietf-dane-smime and draft-ietf-dane-smtp-with-dane, both of which are already being discussed in the DANE WG? :-)

>  Who else is out there 
> hoping to piggy bank on DANE?  

And shouldn't those people tell the DANE folks about it?

> Can DANE be the new PKI?  If not,
> what features does it lack & can it be "patched"?

The discussion of "could DANE or something like it be a new PKI" could happen here, but folks wanting to do so should read the archives of the DANE WG.

Any communications medium that has cryptographic protection and proof of origin can be a new PKI, or it can be part of the delivery for the old PKI. Keys-over-DNS is nothing new, as is keys-over-TLS, keys-over-IPsec, keys-over-CMS, and so on.

--Paul Hoffman