Re: [dane] draft-ietf-dane-openpgpkey-00 comments
Paul Wouters <paul@nohats.ca> Wed, 23 April 2014 01:45 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 432371A02EE for <dane@ietfa.amsl.com>; Tue, 22 Apr 2014 18:45:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.272
X-Spam-Level:
X-Spam-Status: No, score=-2.272 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.272] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZUmuV6_3Bst6 for <dane@ietfa.amsl.com>; Tue, 22 Apr 2014 18:44:54 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id E2BA01A02D9 for <dane@ietf.org>; Tue, 22 Apr 2014 18:44:53 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 853BC8009A; Tue, 22 Apr 2014 21:44:46 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1398217487; bh=jUpZPU/YHo6yqG5A+8e1NW+uZbEovAo+hZS4dgSVzjc=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=ckuMlYw5M9DG78Hlo7q75CWsp3RACvr/NlZcKaEVdGB6a5PTNEtazGZQ0DDRKeSvc jIfjjCPifNfr52ADjYt94WxkrHon3eny6scBVCrkdhb1JpE7FGC02TKED1CSCWqE5f 4M2Z9uKZLRF0+phMQ2XPUOeHd7vOFsTtL5BNg7WE=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s3N1ihqS017484; Tue, 22 Apr 2014 21:44:44 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Tue, 22 Apr 2014 21:44:43 -0400
From: Paul Wouters <paul@nohats.ca>
To: Mark Andrews <marka@isc.org>
In-Reply-To: <20140422234112.7C239143C8CC@rock.dv.isc.org>
Message-ID: <alpine.LFD.2.10.1404222138260.32149@bofh.nohats.ca>
References: <20140410175623.1767.25701.idtracker@ietfa.amsl.com> <53562BA6.6010808@redhat.com> <53564F63.2010008@redhat.com> <m3d2g9dntz.fsf@carbon.jhcloos.org> <alpine.LFD.2.10.1404221827080.32654@bofh.nohats.ca> <20140422234112.7C239143C8CC@rock.dv.isc.org>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/1w41yWV9K57Rsjm24Wjv-Q4xqKA
Cc: dane@ietf.org
Subject: Re: [dane] draft-ietf-dane-openpgpkey-00 comments
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 01:45:13 -0000
On Wed, 23 Apr 2014, Mark Andrews wrote:
>> CERT also uses sub-typing, so you might end up getting all kind of types
>> of certificates (like a PKIX cert) that you don't want or need. Granted,
>> the _openpgpkey. prefix would at least prevent the non-malicious
>> contamination, but you might still get all kinds of weird stuff. From
>> what I understood, sub-typing was what really killed the CERT record,
>> and everyone since has been strongly urged to stay away from sub-typing,
>> and told to use _prefix. instead.
>
> Then you have failed to understand RFC 5507.
Hmm, I read from RFC 5507"
When storing data in the DNS for a new application, the goal must be
to store data in such a way that the application can query for the
data it wants, while minimizing both the impact on existing
applications and the amount of extra data transferred to the client.
This implies that a number of design choices have to be made, where
the most important is to ensure that a precise selection of what data
to return must be made already in the query.
To me that reads as "don't do sub-typing" because the query cannot
request the single type it is interested it, and can only get the full
list.
>> The CERT record also does not offer a nice presentation format for the
>> zone file. The RFC states:
>>
>> smith IN CERT PGP 0 0 <OpenPGP binary>
>
> CERT records have base64 as the presentation format of the
> binary blob.
The line above here containing "smith" comes straight from that same
RFC, so that's a little confusing then :P I did not read "<OpenPGP binary>"
as "base64" :P
Maybe we should file an errata (if people cared about CERT)
Paul
- [dane] I-D Action: draft-ietf-dane-openpgpkey-00.… internet-drafts
- [dane] draft-ietf-dane-openpgpkey-00 comments Petr Spacek
- Re: [dane] draft-ietf-dane-openpgpkey-00 comments Petr Spacek
- Re: [dane] draft-ietf-dane-openpgpkey-00 comments Viktor Dukhovni
- Re: [dane] draft-ietf-dane-openpgpkey-00 comments Petr Spacek
- Re: [dane] draft-ietf-dane-openpgpkey-00 comments James Cloos
- Re: [dane] draft-ietf-dane-openpgpkey-00 comments Paul Wouters
- Re: [dane] draft-ietf-dane-openpgpkey-00 comments Mark Andrews
- Re: [dane] draft-ietf-dane-openpgpkey-00 comments Paul Wouters
- Re: [dane] draft-ietf-dane-openpgpkey-00 comments Mark Andrews