IETF Logo Mail Archive

[dane] Enterprise email security reqs breakdown: REQ7 (signing/encryption certs)

"Rose, Scott" <scott.rose@nist.gov> Wed, 03 September 2014 18:05 UTC

Return-Path: <scott.rose@nist.gov>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A46A51A0462 for <dane@ietfa.amsl.com>; Wed, 3 Sep 2014 11:05:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dD935SgI97gW for <dane@ietfa.amsl.com>; Wed, 3 Sep 2014 11:05:47 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0241.outbound.protection.outlook.com [207.46.163.241]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AA241A042D for <dane@ietf.org>; Wed, 3 Sep 2014 11:05:47 -0700 (PDT)
Received: from BLUPR09MB117.namprd09.prod.outlook.com (10.255.213.14) by BLUPR09MB118.namprd09.prod.outlook.com (10.255.213.141) with Microsoft SMTP Server (TLS) id 15.0.1019.16; Wed, 3 Sep 2014 18:05:46 +0000
Received: from BLUPR09MB117.namprd09.prod.outlook.com ([10.255.213.14]) by BLUPR09MB117.namprd09.prod.outlook.com ([10.255.213.14]) with mapi id 15.00.1019.015; Wed, 3 Sep 2014 18:05:46 +0000
From: "Rose, Scott" <scott.rose@nist.gov>
To: dane WG list <dane@ietf.org>
Thread-Topic: Enterprise email security reqs breakdown: REQ7 (signing/encryption certs)
Thread-Index: AQHPx6Gv/dJnikS3MEKt0CG6PuebyQ==
Date: Wed, 03 Sep 2014 18:05:46 +0000
Message-ID: <4ED17ED7-C9CC-40D8-A9B8-F46860A1D831@nist.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [132.163.220.187]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;UriScan:;
x-forefront-prvs: 032334F434
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(189002)(199003)(99286002)(74662001)(74502001)(4396001)(95666004)(2656002)(33656002)(31966008)(81342001)(82746002)(229853001)(107886001)(15975445006)(107046002)(46102001)(83072002)(85306004)(92566001)(92726001)(85852003)(87936001)(86362001)(36756003)(81542001)(21056001)(76482001)(19580395003)(83322001)(110136001)(106116001)(105586002)(106356001)(79102001)(99396002)(15202345003)(19580405001)(50986999)(54356999)(80022001)(77982001)(66066001)(64706001)(20776003)(83716003)(101416001)(90102001)(104396001); DIR:OUT; SFP:; SCL:1; SRVR:BLUPR09MB118; H:BLUPR09MB117.namprd09.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-ID: <F3D3F9A7B4B42D4D8D5D87B9E79FC582@namprd09.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/8Ut_ECvIA-x21qot6JvWcHK7h2U
Subject: [dane] Enterprise email security reqs breakdown: REQ7 (signing/encryption certs)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Sep 2014 18:05:49 -0000

This and following email will be an attempt to break down the requirements in draft-osterweil-dane-ent-email-reqs-00 into separate threads in an attempt to make it manageable and keep issues separate.  Each thread will handle one (or two if similar) requirements and may include some strawman text to start discussion.  Most of the text and reqs deal with S/MIME as the target technology but if it applies or could apply to other technologies, they should be included.  

I'm going to start using earlier text as the starting point.  The resulting text can either be incorporated into the existing SMIMEA draft, or a new draft if it looks like that is the direction the WG wants to go towards.

REQ 7: The protocol MUST allow for separate management, publication,
           and learning of keys that are used for signing versus
           encryption.

Strawman text using naming convention:

Domain names are prepared for requests in the following manner.

   1.  The left-most label is the function specific label
       segment.  It is selected based on the S/MIME function the MUA is
       performing.  Values are:

          "_encr" for obtaining or validating a certificate or public
          key to be used to encrypt a message.

          "_sign" for certificate validation data to verify a digital
          signature.

      The function specific
       label SHOULD be consistent with the Key Usage field (defined in
       section 4.2.1.3 of [RFC5280]) of the associated certificate. This fuction
       specific label allows for clients to query for a particular certificate and
       keep the DNS response minimal.  Having this the left-most label allows 
       for the use of wildcards if only one certificate is used for both digital 
       signing and encryption if that is the policy of the organization.

  1.  The second left-most label is the user name (the "left-hand side" of the 
	email address, called
       the "local-part" in the mail message format definition [RFC5322]
       and the "local part" in the specification for internationalized
       email [RFC6530]), as a SHA-224 hash.  This does not include the 
      "@" character that separates the left and right sides
       of the email address.

  3.  The string "_smimecert" becomes the third left-most label in the
       prepared domain.  The function specific label segment is separate
       to enable delegation of a single _smimecert zone cut.

   4.  The domain name (the "right-hand side" of the email address,
       called the "domain" in [RFC5322]) is appended to the result of
       step 3 to complete the prepared domain name.




Questions:

1. is this requirement reasonable?  

2.  (if reasonable): Is the strawman text adequate?  Should another method be used other than a naming convention such as a different RRTYPE or usage field?


Scott

===================================
Scott Rose
NIST
scott.rose@nist.gov
+1 301-975-8439
Google Voice: +1 571-249-3671
http://www.dnsops.gov/
===================================

v2.23.0 | Report a Bug | By Email