Re: [dane] [openpgp] The DANE draft
Werner Koch <wk@gnupg.org> Mon, 27 July 2015 06:50 UTC
Return-Path: <wk@gnupg.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95E461ACE1F for <dane@ietfa.amsl.com>; Sun, 26 Jul 2015 23:50:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z5YCXFXQ_fQp for <dane@ietfa.amsl.com>; Sun, 26 Jul 2015 23:50:24 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 252ED1ACE04 for <dane@ietf.org>; Sun, 26 Jul 2015 23:50:24 -0700 (PDT)
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.80 #2 (Debian)) id 1ZJcEw-0002gB-JX for <dane@ietf.org>; Mon, 27 Jul 2015 08:50:22 +0200
Received: from wk by vigenere.g10code.de with local (Exim 4.84 #3 (Debian)) id 1ZJcEL-0005g5-1d; Mon, 27 Jul 2015 08:49:45 +0200
From: Werner Koch <wk@gnupg.org>
To: Paul Wouters <paul@nohats.ca>
References: <CAMm+LwhYdBLXM8Td8q8SCnzgwywRgMx3wNKeS_Q0JSN4Lh7rZQ@mail.gmail.com> <87si8dagiz.fsf@vigenere.g10code.de> <alpine.LFD.2.11.1507250656400.854@bofh.nohats.ca> <CAMm+LwiUahW0wKGa6Bo=275+LbmR2qTu6Yuwwc9irDLsc=563Q@mail.gmail.com> <alpine.LFD.2.11.1507260422030.29300@bofh.nohats.ca>
Organisation: g10 Code GmbH
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
OpenPGP: id=F2AD85AC1E42B367; url=finger:wk@g10code.com
Mail-Followup-To: Paul Wouters <paul@nohats.ca>, Phillip Hallam-Baker <phill@hallambaker.com>, IETF OpenPGP <openpgp@ietf.org>, dane WG list <dane@ietf.org>
Date: Mon, 27 Jul 2015 08:49:44 +0200
In-Reply-To: <alpine.LFD.2.11.1507260422030.29300@bofh.nohats.ca> (Paul Wouters's message of "Sun, 26 Jul 2015 05:11:02 -0400 (EDT)")
Message-ID: <87io968587.fsf@vigenere.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/4x5b_uFLQpiaFdXQPtK6-x61phM>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, dane WG list <dane@ietf.org>, IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [dane] [openpgp] The DANE draft
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2015 06:50:25 -0000
On Sun, 26 Jul 2015 11:11, paul@nohats.ca said: > X.509 parsers where not needed. If you don't think X.509 is a problem, > then you haven't been paying attention to CVE's. There is a lot more X.509 code in use than OpenPGP code and thus it might be unfair to compare CVE counts. But sure, BER encoding along with all bug compatibility stuff is a mess. > Actually, a quick ldd on /usr/bin/gpg* shows no libraries that I know of > that do PKIX. And it would be good not to add new ones just because we Do it on gpgsm and dirmngr and you will find libksba [1] which provides the X.509 and CMS parser and builder. gpgsm does high level processing including validation and dirmngr takes care of CRLs and OCSP. > I also find it _really_ ironic that it is not the openpgp key servers > that you are calling "vast, aging and vaguely understood infrastructure" > because if anything is a dangerous misunderstood mess that we cannot > seem to clean up, it is the current electronic garbage heap of pgp > keys we can never clean up because the owners lost their keys or We do not want to clean that up - there is and should be no need to ever delete a public key from a public server. Unfortunatly the keyservers are also the only working solution to map mail addresses to keys/fingerprints. This is the practical problem we need to solve - not the public storage of the keys. > the keys were generated and uploaded by those not actually being the > real owners of those email address specified in the openpgp key id. What is an "owner" of a mail address? Definitely nothing a keyserver has to decide. > It is _really_ difficult to design any other method of openpgp key > distribution that would be _worse_ than the current key servers. Nope. As I menotioned: distribution is not the problem. Association of mail addresses to keys is the problem because the WoT does not really scale. > And this is an actual real problem. There is no valid reason for needing > to "work around" an experimental proposal that has a significant backing > of people in the IETF, the mail community and opensource software Experimental? I might be confused but draft-ietf-dane-openpgpkey-03 states Standards Track and Intended Status. Salam-Shalom, Werner [1] KSBA = rot13("XFON") // X-Five-O-Nine -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
- Re: [dane] [openpgp] The DANE draft Paul Wouters
- Re: [dane] [openpgp] The DANE draft Olafur Gudmundsson
- Re: [dane] [openpgp] The DANE draft Phillip Hallam-Baker
- Re: [dane] [openpgp] The DANE draft Paul Wouters
- Re: [dane] [openpgp] The DANE draft Paul Wouters
- [dane] Is running a DANE nameserver for a TLD as … Coyo
- Re: [dane] Is running a DANE nameserver for a TLD… Viktor Dukhovni
- Re: [dane] Is running a DANE nameserver for a TLD… Coyo
- Re: [dane] [openpgp] The DANE draft Werner Koch
- Re: [dane] Is running a DANE nameserver for a TLD… Wiley, Glen
- Re: [dane] Is running a DANE nameserver for a TLD… Nico Williams
- Re: [dane] The DANE draft Simon Josefsson
- Re: [dane] [openpgp] The DANE draft Paul Wouters
- Re: [dane] [openpgp] The DANE draft Stephen Farrell
- Re: [dane] [openpgp] The DANE draft Patrick Ben Koetter
- Re: [dane] [openpgp] The DANE draft Paul Hoffman
- Re: [dane] [openpgp] The DANE draft Stephen Farrell
- Re: [dane] [openpgp] The DANE draft Carsten Strotmann
- Re: [dane] [openpgp] The DANE draft Paul Hoffman
- Re: [dane] [openpgp] The DANE draft Patrik Löhr
- Re: [dane] [openpgp] The DANE draft Viktor Dukhovni
- Re: [dane] [openpgp] The DANE draft Stephen Farrell
- Re: [dane] [openpgp] The DANE draft Daniel Kahn Gillmor
- Re: [dane] [openpgp] The DANE draft Daniel Kahn Gillmor
- Re: [dane] [openpgp] The DANE draft Paul Wouters
- Re: [dane] [openpgp] The DANE draft Jiankang Yao
- Re: [dane] [openpgp] The DANE draft Hosnieh Rafiee
- Re: [dane] [openpgp] The DANE draft Paul Wouters
- Re: [dane] [openpgp] The DANE draft Hosnieh Rafiee
- Re: [dane] [openpgp] The DANE draft Hosnieh Rafiee
- Re: [dane] [openpgp] The DANE draft Vincent Breitmoser
- Re: [dane] [openpgp] The DANE draft Stephen Farrell
- Re: [dane] [openpgp] The DANE draft Carsten Strotmann
- Re: [dane] [openpgp] The DANE draft Paul Wouters
- Re: [dane] [openpgp] The DANE draft Stephen Farrell
- Re: [dane] [openpgp] The DANE draft Viktor Dukhovni
- Re: [dane] [openpgp] The DANE draft Hosnieh Rafiee
- Re: [dane] [openpgp] The DANE draft Warren Kumari
- Re: [dane] [openpgp] The DANE draft Daniel Kahn Gillmor