Re: [dane] draft-wouters-dane-openpgp-01 review

Paul Wouters <> Tue, 07 January 2014 04:35 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 035D41ADF7E for <>; Mon, 6 Jan 2014 20:35:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.538
X-Spam-Status: No, score=-2.538 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.538] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2o5faj0oskYN for <>; Mon, 6 Jan 2014 20:35:26 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 7B2D51ADF7B for <>; Mon, 6 Jan 2014 20:35:26 -0800 (PST)
Received: by (Postfix, from userid 500) id 8846C80055; Mon, 6 Jan 2014 23:35:17 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1389069317; bh=9qiUQguIWvC17zX5n7Jf70hlvebNdMsLbMIyahAVdf0=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=tGk282bTaQkF5QdQc6P4Emg5PH+djV9qoT/F8sLAcTKkSy7+3iMiFBtTUKZAYNLwD VzzkLF9giKShNuUWD2hXltpYeGC/vSnBqwDmNuP0rwpbwqeVsyIWvh8ape+AFTHViC eGGS3eXSXU8/nn99r/9NLydh4rIRK9wLtPbGw/qk=
Received: from localhost (localhost []) by (Postfix) with ESMTP id 75EC380048; Mon, 6 Jan 2014 23:35:17 -0500 (EST)
Date: Mon, 6 Jan 2014 23:35:17 -0500 (EST)
From: Paul Wouters <>
To: Olafur Gudmundsson <>
In-Reply-To: <>
Message-ID: <>
References: <>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 8BIT
Cc: " list" <>
Subject: Re: [dane] draft-wouters-dane-openpgp-01 review
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 07 Jan 2014 04:35:28 -0000

On Mon, 6 Jan 2014, Olafur Gudmundsson wrote:

> I just reviewed the draft with an eye if it is ready to be used as reference for DNS RRYTPE template submission. 
> The draft specifies that Presentation Format for the RRTYPE is Base64 (good) 
> The draft specifies that the WIRE Format for the RRTYPE is Base64 (bad) 
> I suggest that the draft be expanded to talk about Presentation format and Wire Format separately. 

That was a very good point and unclear in the document. I've addressed
these and will submit the new version soon.

> Making this change in the draft will require that Paul needs to update his tool that he released today. 

That's fine :)

> Nits and questions: 
> Section 3 says: "If an an OPENPGPKEY RR contains an expired OpenPGP
>    public key, it MUST NOT be used for encryption." 
> Suggest: "SHOULD" instead 
> Section 3.1 I propose that this section be moved into Section 4, leaving only 
> 3 and 3.2 in section 3. 
> Section 3 then only defines the DNS RR 
> Section 4 then deals with location of the records in zones and how to convert "email address" into
> DNS labels. 
> Section 4.4 (KEY size and record size issues) is orthogonal to section 4. and should (it you keep it) become a new section
> on usage and operational guidance. 
> In addition to talk about key size it should recommend that a user SHOULD only have one Active record, i.e. the key
> it wants others to use to use for encryption. 
> Section 7: should become an appendix (how to generate a record)

I've made these changes, and after some more talking decided to split
this document in two. One for just the technical specification of the
DNS record, and one for the recommended usage of the DNS record.

> Question: Transitioning trust from old key to new key is not covered in this draft, should it ?

I don't think so. I cannot come up with any good "rollover advise" I
would give other than "replace the DNS record once you have a new PGP
key". Whether you lost your old PGP key or not, when you are ready for
the new PGP key, you can just remove the old one.