Re: [dane] Use OPENPGPKEY or SMIMEA if both are available?
Patrick Ben Koetter <p@sys4.de> Mon, 09 March 2015 21:21 UTC
Return-Path: <p@sys4.de>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70DF71ACD96 for <dane@ietfa.amsl.com>; Mon, 9 Mar 2015 14:21:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.961
X-Spam-Level:
X-Spam-Status: No, score=-3.961 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lHinBfoHWtum for <dane@ietfa.amsl.com>; Mon, 9 Mar 2015 14:21:21 -0700 (PDT)
Received: from mail.sys4.de (mail.sys4.de [194.126.158.139]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05BF21ACD7C for <dane@ietf.org>; Mon, 9 Mar 2015 14:21:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sys4.de; h= in-reply-to:content-transfer-encoding:content-disposition :content-type:content-type:mime-version:references:message-id :subject:subject:from:from:date:date; s=mail201310; t= 1425936077; x=1427750478; bh=jBMBvNDPU1EKu9YXFu20nDWRCSkDw3IsTm/ iLusSIKo=; b=hbO6qxNXTkg3PxArZF+KB6l4RqnHa3sWn/tG0k0xoGBQ0lE+5YJ J3bcBC99ahTbChz5Os5OK7flEeaAfyluahSWYu+seuXHb9qDsz2Kh3hEZMRIg/uC j2DQzZPeTWvrnUK6M0TDFSvV9mGlmoUTngxT5DGli/zwnBoF4W35XLSsWqzCtFyR d+LNpy57LgUy8wbsEvYZ5sWjpBeu0U8K3vR3jT8/WnCRxUIdwbUnm4geFFhY/2tM 5WnX00GO+ddBGQhUOLZgTwIlQAw3/cbk9QuPJ9MKMiH12wBDN2qnbkdognRdXAQX aLxh+0kQuMsYqtb1nxyhBuNLkflno9uw9tw==
X-Virus-Scanned: Debian amavisd-new at mail.sys4.de
Received: from sys4.de (ipb21b19f6.dynamic.kabel-deutschland.de [178.27.25.246]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sys4.de (Postfix) with ESMTPSA id 3l1CCd16DGzFy for <dane@ietf.org>; Mon, 9 Mar 2015 22:21:17 +0100 (CET)
Date: Mon, 09 Mar 2015 22:21:15 +0100
From: Patrick Ben Koetter <p@sys4.de>
To: dane@ietf.org
Message-ID: <20150309212115.GC8242@sys4.de>
References: <20150309195944.GB8242@sys4.de> <alpine.LFD.2.10.1503091601440.29875@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <alpine.LFD.2.10.1503091601440.29875@bofh.nohats.ca>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/AQ2MIQwgbme-7l7tkmVkDl20gdA>
Subject: Re: [dane] Use OPENPGPKEY or SMIMEA if both are available?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 21:21:28 -0000
* Paul Wouters <paul@nohats.ca>: > On Mon, 9 Mar 2015, Patrick Ben Koetter wrote: > > >while thinking about OPENPGPKEY and SMIMEA I came across this question: > > > >What if a recipient publishes both, an OPENPGPKEY and a SMIMEA RR in DNS and > >what if a sender (MUA/MTA Filter) is capable to encrypt messages for both > >standars S/MIME and PGP. > > > >Which should the sender prefer? Could the receiver indicate a preference? > > > >Has there been any discussion on this? Should there be? Did it take place and > >I missed it? > > It has not been discussed. > > I would think this is a local policy decision. Likely, if respondering > to an encrypted message using X, one would encrypt back using X if the > local policy allows this. If sending a message from scratch, I would > think local policy applies? > > An email client could prompt the user. An MTA would have to make a > decision on its own, based on its policy. > > I wouldn't go so far as to allow the recipient to show a preference. The > recipient shows its accepted methods by publishing the related record in > DNS. This works similar to crypto suite/algo negotiations. The initiator > can pick its favourite from the intersection of what both parties > support. I think there are several options to handle OPENPGPKEY and SMIMEA conflicts. My intention is to find the one that requires the least or no sender interaction. Why? End to end encryption is known to be complicated. That's one of the main reasons why average users refuse to use it. They consider themselves unable to make the right decisions. They avoid these conflicts refusing to use end-to-end encryption at all. Both, OPENPGPKEY and SMIMEA, carry the potential to increase wider usage of encryption. They offer a safe way for automated key distribution. All a sender will have to do is 'send' the message. Given appropriate software, MUA or MTA, will handle safe key retrieval and encrypt the message for any OPENPGPKEY and SMIMEA enabled recipient. Letting the sender decide in case of conflicts - OPENPGPKEY and SMIMEA are present at the time of sending - puts the burden back on the sender. I'd like to avoid that because I expect this to be counterproductive for wider adoption. One way to handle this without user interaction is to handle it at MTA level. The operator could specify a preference. Another way would be to let the recipient specify a preference. Preferring one over the other would only take place if the sending MUA/MTA was able to deal with either standard. The sender would not have to interact with the software to make a decision. The recipient could indicate preference for standard A e.g. simply because messages encrypted by A can be read on more devices (desktop/tablet/mobile). Standard B would only serve as fallback. This would still leave the option to override on the sender's side. But then it would be intentionally. Most of the time recipient preference would just "do the right thing". p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
- [dane] Use OPENPGPKEY or SMIMEA if both are avail… Patrick Ben Koetter
- Re: [dane] Use OPENPGPKEY or SMIMEA if both are a… Paul Wouters
- Re: [dane] Use OPENPGPKEY or SMIMEA if both are a… Patrick Ben Koetter
- Re: [dane] Use OPENPGPKEY or SMIMEA if both are a… Viktor Dukhovni
- Re: [dane] Use OPENPGPKEY or SMIMEA if both are a… Patrick Ben Koetter