IETF Logo Mail Archive

Re: [dane] draft-ietf-dane-openpgpkey-00 comments

Mark Andrews <marka@isc.org> Tue, 22 April 2014 23:41 UTC

Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36F371A02AC for <dane@ietfa.amsl.com>; Tue, 22 Apr 2014 16:41:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.173
X-Spam-Level:
X-Spam-Status: No, score=-7.173 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A1g7WhanQwV6 for <dane@ietfa.amsl.com>; Tue, 22 Apr 2014 16:41:33 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) by ietfa.amsl.com (Postfix) with ESMTP id EDBC51A0283 for <dane@ietf.org>; Tue, 22 Apr 2014 16:41:32 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 1A009238400; Tue, 22 Apr 2014 23:41:15 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id B1D92160064; Tue, 22 Apr 2014 23:43:51 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 814DB160056; Tue, 22 Apr 2014 23:43:51 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 7C239143C8CC; Wed, 23 Apr 2014 09:41:12 +1000 (EST)
To: Paul Wouters <paul@nohats.ca>
From: Mark Andrews <marka@isc.org>
References: <20140410175623.1767.25701.idtracker@ietfa.amsl.com> <53562BA6.6010808@redhat.com> <53564F63.2010008@redhat.com> <m3d2g9dntz.fsf@carbon.jhcloos.org> <alpine.LFD.2.10.1404221827080.32654@bofh.nohats.ca>
In-reply-to: Your message of "Tue, 22 Apr 2014 18:42:42 -0400." <alpine.LFD.2.10.1404221827080.32654@bofh.nohats.ca>
Date: Wed, 23 Apr 2014 09:41:12 +1000
Message-Id: <20140422234112.7C239143C8CC@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/3WKs0nIiCd8feXLjV4cPXZVH3Bs
Cc: dane@ietf.org
Subject: Re: [dane] draft-ietf-dane-openpgpkey-00 comments
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Apr 2014 23:41:38 -0000

In message <alpine.LFD.2.10.1404221827080.32654@bofh.nohats.ca>, Paul Wouters writes:
> On Tue, 22 Apr 2014, James Cloos wrote:
> 
> > PS> What about CERT RR?
> > PS> http://tools.ietf.org/html/rfc4398#section-2.1 contains this (beside others):
> >
> > Cert uses the user portion of the email address as-is, and therefor only
> > supports usernames which fit unalterred in dns.
> 
> Correct. Although we could have used the openpgpkey style _prefix to
> avoid that, there were more issues with the CERT record type.
> 
> CERT also uses sub-typing, so you might end up getting all kind of types
> of certificates (like a PKIX cert) that you don't want or need. Granted,
> the _openpgpkey. prefix would at least prevent the non-malicious
> contamination, but you might still get all kinds of weird stuff. From
> what I understood, sub-typing was what really killed the CERT record,
> and everyone since has been strongly urged to stay away from sub-typing,
> and told to use _prefix. instead.

	Then you have failed to understand RFC 5507.

> The CERT record also does not offer a nice presentation format for the
> zone file. The RFC states:
> 
>        smith        IN CERT PGP 0 0 <OpenPGP binary>

	CERT records have base64 as the presentation format of the
	binary blob.  This is independent of the type of certificate
	being encoded.  See RFC 4398 2.2 Text Representation of CERT RRs.
	I think you are confusing wire format and presentation format.

> Having binary in a zone is really a non-starter. Which is why OPENPGPKEY
> uses base64 as the presentation format and the raw binary as the wire
> format.
>
> > Some aspects of the rfc are a bit terse.  Can you tell, for IPGP,
> > whether the length octet is a bit-lenght or an octet-length?  Or
> > which data, exactly, is digested to create the key tag?
> 
> IPGP specifies a URL, so now that url becomes another security hurdle.
> What do you do when it is on https and you don't trust the CA, ignore.
> What do you do when the URL is unreachable - is that censorship/attack?
> With the full key in DNSSEC, you get the entire key using only one DNS
> query without any followup HTTP(S) queries that you might not be able to
> do for various (security/monitoring) reasons.
> 
> It seemed much more desirable to start a fresh dedicated RRTYPE over
> fixing up the CERT RRTYPE and then needing to deal with servers that
> only support the "old CERT type" versus ones that support the "new CERT
> type". In other words, the pain of recycling was worse than just
> starting fresh.
> 
> Paul
> 
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email