IETF Logo Mail Archive

Re: [dane] Second WGLC draft-ietf-dane-smime

"Garfinkel, Simson L. (Fed)" <simson.garfinkel@nist.gov> Mon, 21 November 2016 14:33 UTC

Return-Path: <simson.garfinkel@nist.gov>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58EC6129684 for <dane@ietfa.amsl.com>; Mon, 21 Nov 2016 06:33:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q1c5SyjxvHub for <dane@ietfa.amsl.com>; Mon, 21 Nov 2016 06:33:47 -0800 (PST)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0119.outbound.protection.outlook.com [23.103.200.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B6E9129677 for <dane@ietf.org>; Mon, 21 Nov 2016 06:33:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Rz4J3q/Y6bxnhDSDsUCSIRHkXj6jrGVdA7+NcU5RTho=; b=tOaxZhb0Z37XONM9JfkS60zjSkkm0NJCDr6CcB+I/1tU1i6eWqwn94FTweBEZR2HbOytT7naXAhKfUQfofIpyk8Gni9YgguS2d/77oOUEvGDtBQOLfmW1ELEGdBMsQ2EMF1rn5MQwyHkt4fOMPZ3sFt9ZCeaFo4Nr0Z2wMvN28I=
Received: from DM2PR09MB0576.namprd09.prod.outlook.com (10.161.252.22) by DM2PR09MB0574.namprd09.prod.outlook.com (10.161.252.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.734.8; Mon, 21 Nov 2016 14:33:46 +0000
Received: from DM2PR09MB0576.namprd09.prod.outlook.com ([10.161.252.22]) by DM2PR09MB0576.namprd09.prod.outlook.com ([10.161.252.22]) with mapi id 15.01.0734.007; Mon, 21 Nov 2016 14:33:46 +0000
From: "Garfinkel, Simson L. (Fed)" <simson.garfinkel@nist.gov>
To: Dane WG <dane@ietf.org>
Thread-Topic: [dane] Second WGLC draft-ietf-dane-smime
Thread-Index: AQHSPjq1S3DkWlbj20OswExOk6brCqDc6uoAgAD/Q4CABSV2AIAAfG6A
Date: Mon, 21 Nov 2016 14:33:45 +0000
Message-ID: <42510095-2182-422E-8A47-1EF3181B16F3@nist.gov>
References: <1479102464.995918272@apps.rackspace.com> <alpine.LRH.2.20.1611170410140.28374@bofh.nohats.ca> <D96EB1EE-A7C6-4C21-B1AC-1D0A5F8547E8@rfc1035.com> <CADyWQ+EC4v5U1tcw3OTd7j2D0KNWveNhsUSGc6c=NvX9VhtRLg@mail.gmail.com>
In-Reply-To: <CADyWQ+EC4v5U1tcw3OTd7j2D0KNWveNhsUSGc6c=NvX9VhtRLg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3124)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=simson.garfinkel@nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [129.6.84.113]
x-microsoft-exchange-diagnostics: 1; DM2PR09MB0574; 7:auIYau5tjqc/QOKBOUMYNmWtixqVL3z2+In/h9IHN6dB7fc5Xtp/L25M7L02EfW6cRxEslhRF1WNUALHtbWy3uAp8XvxsiS8n5ADyfcjsDf6IaNMmz8x7AIX571EeVmPH8Iz6VgiEv8sGNtI6J+DV2KMWWbJw0b6GjlSox1I5+d3rLeEjUc75FIgwj1lVxwobRKv/FWGiuGmdLN7L36rEH5smbRQVVBPWImwzQoUMgP972JSuwnm8HufKZWIFy2UE9hiB0aGR+Ni6MwIR9nZOE5tjChIqjbORpYpQS9UeI5G4yRv+RbXLg98XBZgBF4r2bLsmapvg1DU9Dx8OaGgrD627H2gCIkH2ciLBw5RJlU=
x-ms-office365-filtering-correlation-id: 92506602-bbec-46ed-04f3-08d4121b66a1
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:DM2PR09MB0574;
x-microsoft-antispam-prvs: <DM2PR09MB05744F4943ECB1E43F720C20F6B50@DM2PR09MB0574.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040307)(6060326)(6045199)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(6041248)(6061324); SRVR:DM2PR09MB0574; BCL:0; PCL:0; RULEID:; SRVR:DM2PR09MB0574;
x-forefront-prvs: 01334458E5
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(24454002)(377454003)(189002)(199003)(6506003)(2900100001)(6512003)(229853002)(66066001)(77096005)(606004)(76176999)(50986999)(8676002)(99286002)(450100001)(33656002)(38730400001)(7846002)(105586002)(106116001)(106356001)(81166006)(57306001)(50226002)(7736002)(3280700002)(8936002)(81156014)(7906003)(92566002)(189998001)(102836003)(3660700001)(3846002)(97736004)(82746002)(83716003)(101416001)(87936001)(6116002)(68736007)(230783001)(2950100002)(6916009)(93886004)(36756003)(107886002)(2906002)(122556002)(86362001)(110136003)(5660300001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0574; H:DM2PR09MB0576.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_425100952182422E8A471EF3181B16F3nistgov_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Nov 2016 14:33:45.8165 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0574
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/9KkVfeWGbORusRrJcZmPh1bwCyc>
Subject: Re: [dane] Second WGLC draft-ietf-dane-smime
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2016 14:33:50 -0000

Previously on this list I wrote this to a poster:

On Nov 17, 2016, at 9:11 AM, Garfinkel, Simson L. (Fed) <simson.garfinkel@nist.gov<mailto:simson.garfinkel@nist.gov>> wrote:

  It’s clear that distributing public key certificates is a fundamental problem with the PKI concept. How would solve it such that individuals could obtain certificates for people with whom they have had no previous contact?

To summarize the answer I received, there was concern that some email users might be using a legacy email account, not trust their mail provider, and want the assurance of a end-to-end encryption that is asserted by a trustworthy CA.

I’ve thought about this response over the weekend and do not find it credible. This answer presupposes a CA system that is not the one that we have. Most CA S/MIME providers authenticate users based on their ability to receive email at a given address.  So a hostile email provider intent on intercepting encrypted email could easily spoof even a trusted CA provider into issuing a bogus certificate.

I am also concerned about the broad number of CAs that are trusted under the current model. DANE allows the scoping of CA trust. It allows an email provider to say “we only trust this specific CA to issue a certificate, because that’s the CA that we use in our organization.”  With a CA-based system that does not use DANE, there is no mechanism for individuals to signal to people with whom they have had no previous contact that a specific CA is in use and another CA is not to be trusted.

Given this, I support publication as an experimental RFC.

We continue to pursue and support R&D efforts to develop SMIME-based approaches to enterprise email security.   Having a stable reference will benefit those efforts.

Simson Garfinkel

===================
Simson Garfinkel
Information Access Division
National Institute of Standards and Technology
simson.garfinkel@nist.gov<mailto:simson.garfinkel@nist.gov>
202-649-0029






On Nov 21, 2016, at 2:08 AM, tjw ietf <tjw.ietf@gmail.com<mailto:tjw.ietf@gmail.com>> wrote:


I've read this document and I support publication.

I'm more inclined to publish as Experimental, but I'm not beholden to the correct flavor.

tim



On Thu, Nov 17, 2016 at 7:33 PM, Jim Reid <jim@rfc1035.com<mailto:jim@rfc1035.com>> wrote:

> On 17 Nov 2016, at 09:19, Paul Wouters <paul@nohats.ca<mailto:paul@nohats.ca>> wrote:
>
> I am in favour of publishing this document as an Experimental RFC.

I support publication of this document too: don't care which flavour of RFC is chosen for it.

_______________________________________________
dane mailing list
dane@ietf.org<mailto:dane@ietf.org>
https://www.ietf.org/mailman/listinfo/dane

_______________________________________________
dane mailing list
dane@ietf.org<mailto:dane@ietf.org>
https://www.ietf.org/mailman/listinfo/dane

v2.23.0 | Report a Bug | By Email