Re: [dane] I-D Action: draft-ietf-dane-smime-04.txt

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 08 January 2014 16:48 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F9AA1AE016 for <dane@ietfa.amsl.com>; Wed, 8 Jan 2014 08:48:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uYdC-qbocur2 for <dane@ietfa.amsl.com>; Wed, 8 Jan 2014 08:48:23 -0800 (PST)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id AD4621ADFD7 for <dane@ietf.org>; Wed, 8 Jan 2014 08:48:23 -0800 (PST)
Received: from [10.20.30.90] (50-1-51-230.dsl.dynamic.fusionbroadband.com [50.1.51.230]) (authenticated bits=0) by hoffman.proper.com (8.14.7/8.14.7) with ESMTP id s08GSGYO080222 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <dane@ietf.org>; Wed, 8 Jan 2014 09:28:18 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 50-1-51-230.dsl.dynamic.fusionbroadband.com [50.1.51.230] claimed to be [10.20.30.90]
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <20140108160156.GE2317@mournblade.imrryr.org>
Date: Wed, 8 Jan 2014 08:48:09 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <89AE05E1-BC6C-46BA-A4CC-A8F29070096D@vpnc.org>
References: <20140108152321.10496.88212.idtracker@ietfa.amsl.com> <20140108160156.GE2317@mournblade.imrryr.org>
To: "dane@ietf.org list" <dane@ietf.org>
X-Mailer: Apple Mail (2.1827)
Subject: Re: [dane] I-D Action: draft-ietf-dane-smime-04.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2014 16:48:25 -0000

On Jan 8, 2014, at 8:01 AM, Viktor Dukhovni <viktor1dane@dukhovni.org> wrote:

> On Wed, Jan 08, 2014 at 07:23:21AM -0800, internet-drafts@ietf.org wrote:
> 
>> 	Filename        : draft-ietf-dane-smime-04.txt
> 
> Given the use of base32 encoding, and explicit non-support for
> names that encode to more than 63 bytes of base32 text, I would
> like to suggest that trailing "=*" padding be explicitly dropped
> from the base32 label allowing for somewhat longer inputs and less
> redundant outputs.
> 
> With base32, every 5 octets of input text encode to 8 octets of
> encoded text, therefore 35 octets encode to 56 octets, but anything
> longer encodes to 64 octets which is too long.  Thus inputs with
> 36-39 octets cannot be represented when the "=" padding is part
> of the encoded text.

In the real world, there are few users who have LHS user names that are more than 30 (or maybe even 20) characters long. What you are proposing is "base32 but not really base32" and that could introduce errors in libraries looking up the names.

> Also, with say "6" octets of input, e.g. "viktor", we have 48 bits
> of input which encodes to 9 full octets of 5 bit per octet output,
> plus a short 3 bit encoded octet, and then *7* octets of padding:
> 
> 	OZUWW5DPOI======
> 
> This seems rather wasteful.

Relative to, say, the size of a PKIX certificate? :-) 

>  The truncated encoding:
> 
>    OZUWW5DPOI
> 
> carries identical information.

Yes it does. It also puts a burden on the application to use our new "base32ish" encoding instead of the base32 encoding they already have. In order to save five bytes.

> Finally is the word "prohibited" appropriate in the new text:
> 
>       Also note that user names can be any length, and labels are
>       limited to 63 octets.  Also note that user names that are
>       encoded with Base32 are longer than the original user name.
>       Any user name that would cause a label of longer than 63
>       octets is expressly prohibited by this specification.
> 
> I would think "unsupported" or "incompatible" would be closer,
> since such local parts remain valid, even though there are incompatible
> with SMIMEA.

You are right: we'll change to "incompatible" in the next draft.

> One way to get around the length limit would be to break up long
> encoded strings into multiple labels at each 32 bytes of output
> (which decode to 20 bytes of input).  Thus the encoding of "Base32
> is a notation for encoding arbitrary byte data using a restricted
> set of symbols":
> 
>    IJQXGZJTGIQGS4ZAMEQG433UMF2GS33O
>    EBTG64RAMVXGG33ENFXGOIDBOJRGS5DS
>    MFZHSIDCPF2GKIDEMF2GCIDVONUW4ZZA
>    MEQHEZLTORZGSY3UMVSCA43FOQQG6ZRA
>    ON4W2YTPNRZQ			// trailing "====" truncated
> 
> would result in a multi-label DNS prefix of:
> 
>    ijqxgzjtgiqgs4zameqg433umf2gs33o.ebtg64ramvxgg33enfxgoidbojrgs5ds.mfzhsidcpf2gkidemf2gcidvonuw4zza.meqhezltorzgsy3umvsca43foqqg6zra.on4w2ytpnrzq
> 
> Allowing for significantly longer local parts (ultimately limited
> by the total length of a DNS fqdn when combined with the relevant
> suffix derived from the domain part).

I think this is vast overkill for a rarely-needed use case, but I'm open to hear where people think LHS names longer than 35 characters are used in places where S/MIME or PGP are also used.

--Paul Hoffman