[dane] Enterprise email security reqs breakdown: REQ7 (signing/encryption certs)
"Rose, Scott" <scott.rose@nist.gov> Wed, 03 September 2014 18:05 UTC
Return-Path: <scott.rose@nist.gov>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A46A51A0462 for <dane@ietfa.amsl.com>; Wed, 3 Sep 2014 11:05:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dD935SgI97gW for <dane@ietfa.amsl.com>; Wed, 3 Sep 2014 11:05:47 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0241.outbound.protection.outlook.com [207.46.163.241]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AA241A042D for <dane@ietf.org>; Wed, 3 Sep 2014 11:05:47 -0700 (PDT)
Received: from BLUPR09MB117.namprd09.prod.outlook.com (10.255.213.14) by BLUPR09MB118.namprd09.prod.outlook.com (10.255.213.141) with Microsoft SMTP Server (TLS) id 15.0.1019.16; Wed, 3 Sep 2014 18:05:46 +0000
Received: from BLUPR09MB117.namprd09.prod.outlook.com ([10.255.213.14]) by BLUPR09MB117.namprd09.prod.outlook.com ([10.255.213.14]) with mapi id 15.00.1019.015; Wed, 3 Sep 2014 18:05:46 +0000
From: "Rose, Scott" <scott.rose@nist.gov>
To: dane WG list <dane@ietf.org>
Thread-Topic: Enterprise email security reqs breakdown: REQ7 (signing/encryption certs)
Thread-Index: AQHPx6Gv/dJnikS3MEKt0CG6PuebyQ==
Date: Wed, 03 Sep 2014 18:05:46 +0000
Message-ID: <4ED17ED7-C9CC-40D8-A9B8-F46860A1D831@nist.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [132.163.220.187]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;UriScan:;
x-forefront-prvs: 032334F434
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(189002)(199003)(99286002)(74662001)(74502001)(4396001)(95666004)(2656002)(33656002)(31966008)(81342001)(82746002)(229853001)(107886001)(15975445006)(107046002)(46102001)(83072002)(85306004)(92566001)(92726001)(85852003)(87936001)(86362001)(36756003)(81542001)(21056001)(76482001)(19580395003)(83322001)(110136001)(106116001)(105586002)(106356001)(79102001)(99396002)(15202345003)(19580405001)(50986999)(54356999)(80022001)(77982001)(66066001)(64706001)(20776003)(83716003)(101416001)(90102001)(104396001); DIR:OUT; SFP:; SCL:1; SRVR:BLUPR09MB118; H:BLUPR09MB117.namprd09.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-ID: <F3D3F9A7B4B42D4D8D5D87B9E79FC582@namprd09.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/8Ut_ECvIA-x21qot6JvWcHK7h2U
Subject: [dane] Enterprise email security reqs breakdown: REQ7 (signing/encryption certs)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 18:05:49 -0000
This and following email will be an attempt to break down the requirements in draft-osterweil-dane-ent-email-reqs-00 into separate threads in an attempt to make it manageable and keep issues separate. Each thread will handle one (or two if similar) requirements and may include some strawman text to start discussion. Most of the text and reqs deal with S/MIME as the target technology but if it applies or could apply to other technologies, they should be included. I'm going to start using earlier text as the starting point. The resulting text can either be incorporated into the existing SMIMEA draft, or a new draft if it looks like that is the direction the WG wants to go towards. REQ 7: The protocol MUST allow for separate management, publication, and learning of keys that are used for signing versus encryption. Strawman text using naming convention: Domain names are prepared for requests in the following manner. 1. The left-most label is the function specific label segment. It is selected based on the S/MIME function the MUA is performing. Values are: "_encr" for obtaining or validating a certificate or public key to be used to encrypt a message. "_sign" for certificate validation data to verify a digital signature. The function specific label SHOULD be consistent with the Key Usage field (defined in section 4.2.1.3 of [RFC5280]) of the associated certificate. This fuction specific label allows for clients to query for a particular certificate and keep the DNS response minimal. Having this the left-most label allows for the use of wildcards if only one certificate is used for both digital signing and encryption if that is the policy of the organization. 1. The second left-most label is the user name (the "left-hand side" of the email address, called the "local-part" in the mail message format definition [RFC5322] and the "local part" in the specification for internationalized email [RFC6530]), as a SHA-224 hash. This does not include the "@" character that separates the left and right sides of the email address. 3. The string "_smimecert" becomes the third left-most label in the prepared domain. The function specific label segment is separate to enable delegation of a single _smimecert zone cut. 4. The domain name (the "right-hand side" of the email address, called the "domain" in [RFC5322]) is appended to the result of step 3 to complete the prepared domain name. Questions: 1. is this requirement reasonable? 2. (if reasonable): Is the strawman text adequate? Should another method be used other than a naming convention such as a different RRTYPE or usage field? Scott =================================== Scott Rose NIST scott.rose@nist.gov +1 301-975-8439 Google Voice: +1 571-249-3671 http://www.dnsops.gov/ ===================================
- [dane] Enterprise email security reqs breakdown: … Rose, Scott
- Re: [dane] Enterprise email security reqs breakdo… Osterweil, Eric