Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt

Viktor Dukhovni <viktor1dane@dukhovni.org> Thu, 06 February 2014 04:31 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 419EB1A0277 for <dane@ietfa.amsl.com>; Wed, 5 Feb 2014 20:31:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pMGJGcmmj0eO for <dane@ietfa.amsl.com>; Wed, 5 Feb 2014 20:31:40 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 4C8A11A022B for <dane@ietf.org>; Wed, 5 Feb 2014 20:31:40 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 935452AB243; Thu, 6 Feb 2014 04:31:38 +0000 (UTC)
Date: Thu, 6 Feb 2014 04:31:38 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140206043138.GT278@mournblade.imrryr.org>
References: <20140106212911.12960.24322.idtracker@ietfa.amsl.com> <A1C41700-578C-45C1-9A66-ACC051970F47@gmail.com> <58D91468-4295-4AEB-A5F4-3C796CBF047A@vpnc.org> <20140205210516.GN278@mournblade.imrryr.org> <alpine.LFD.2.10.1402052254590.13653@bofh.nohats.ca> <20140206042311.GF21114@mx1.yitter.info>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20140206042311.GF21114@mx1.yitter.info>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 04:31:42 -0000

On Wed, Feb 05, 2014 at 11:23:11PM -0500, Andrew Sullivan wrote:

> Pray tell, how does the application learn the TTL?  What if it
> doesn't, and guesses wrong?

I must plead ignorance of the obstacle, what do you have in mind?

If learning DNS TTLs along with the RRset data is problematic,
application caches should have reasonably short maximum lifetimes.
For an MUA caching an SMIMEA certificate, probably on the order of
7days or less.  This is substantially shorter than typical PKIX
certificate lifetimes and commensurate with say typical Kerberos
ticket renewal lifetimes (another form of short term cached
credentials).

-- 
	Viktor.