Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt
Viktor Dukhovni <viktor1dane@dukhovni.org> Wed, 05 February 2014 23:23 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E86C41A02A1 for <dane@ietfa.amsl.com>; Wed, 5 Feb 2014 15:23:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0nEcxwM0p1Vj for <dane@ietfa.amsl.com>; Wed, 5 Feb 2014 15:23:38 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 6066B1A0275 for <dane@ietf.org>; Wed, 5 Feb 2014 15:23:38 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 76DE62AAD0D; Wed, 5 Feb 2014 23:23:36 +0000 (UTC)
Date: Wed, 05 Feb 2014 23:23:36 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140205232336.GO278@mournblade.imrryr.org>
References: <20140106212911.12960.24322.idtracker@ietfa.amsl.com> <A1C41700-578C-45C1-9A66-ACC051970F47@gmail.com> <58D91468-4295-4AEB-A5F4-3C796CBF047A@vpnc.org> <20140205210516.GN278@mournblade.imrryr.org> <24074206-D8A9-48FE-AE80-46E8C21E684A@verisign.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <24074206-D8A9-48FE-AE80-46E8C21E684A@verisign.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 23:23:41 -0000
On Wed, Feb 05, 2014 at 09:30:34PM +0000, Osterweil, Eric wrote: > So, I worry that this relies on implicit assumptions being made > about processing being done on the MUA (RP) side. If something is > not available in DNS, does that mean I shouldn't use a cert I may > already have in hand, I shouldn't fall back to AD, I shouldn't use > a previously seen value, etc? How do I know the domain was ever > serving SMIMEA if there is nothing in there now? I suppose we > could conflate deauthorization of certs with revocation of certs. > However, I was suggesting that we _could_ use this opportunity to > express an unambiguous piece of evidence that clients should use > SMIMEA-processing, and should _not_ use a specific cert (even though > it may not be universally revoked). Well if the DNS is not available, you won't see the DNS revocation either. So I think you're imagining a situation were a client is often disconnected, and caches certificates. In that case, I would suggest the following strategy for an SMIMEA capable MUA: Each signed message received by the MUA is initially in an unknown verificaiton state. When an SMIMEA lookup is successful, and returns a usable certificate the message is marked permanently valid (certificate valid at time of message receipt). The certificate can be cached for the shortest of the TTL of the SMIMEA RRset, the RRSIG expiration time and a configurable local cache limit (suggested default 7 days). Each new message received generates a new background attempt to determine the SMIMEA records, but if cached data is available, a cached certificate can be used (lies within RRSIG lifetime). Likewise, outgoing mail can be encrypted to a cached certificate only within its DNSSEC validity interval, but otherwise requires a new SMIMEA lookup. Basically the MUA operates with a stored (rather than in-memory) DANE RRset cache. > > When the DANE associated data published for a user is a CA that > > signs multiple EE certs and a particular user's keys need to be > > revoked, the simplest solution is to publish an EE association for > > that user until the revoked certificate expires. Either way there > > is a special EE DANE record for the user in question, but one or > > more valid EE certs are more useful than a list of invalid EE certs. > > As I think you said above, ``DANE records (SMIMEA, TLSA, ?) are > maintained by the subject's domain and can be presumed *current* > when the publishing domain is not negligent.'' I think it's a nice > option to give DNS provisioning systems to set a flag in an RR that > deauthorizes a cert w/o having to have the CA issue a new association. > Perhaps I'm off here, but it seems far more complicated from an > operational perspective to have to hop through a CA and get something > issued in order to deauthorize a cert rather than just updating > the RR, no? I don't see any reason to de-authorize by publishing a blacklist, when one can just simply stop publishing the record or replace a TA record with an EE record. -- Viktor.
- [dane] I-D Action: draft-ietf-dane-smime-03.txt internet-drafts
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Scott Rose
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Paul Hoffman
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Scott Rose
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Scott Rose
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Osterweil, Eric
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Jakob Schlyter
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Osterweil, Eric
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
- [dane] draft-ietf-dane-smime and certificate disc… Paul Hoffman
- Re: [dane] draft-ietf-dane-smime and certificate … Osterweil, Eric
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Osterweil, Eric
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
- Re: [dane] draft-ietf-dane-smime and certificate … Paul Hoffman
- Re: [dane] draft-ietf-dane-smime and certificate … Viktor Dukhovni
- Re: [dane] draft-ietf-dane-smime and certificate … Paul Hoffman
- Re: [dane] draft-ietf-dane-smime and certificate … Viktor Dukhovni
- Re: [dane] draft-ietf-dane-smime and certificate … Paul Hoffman
- Re: [dane] draft-ietf-dane-smime and certificate … Osterweil, Eric
- Re: [dane] draft-ietf-dane-smime and certificate … Osterweil, Eric
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Osterweil, Eric
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Paul Wouters
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Andrew Sullivan
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Andrew Sullivan
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Mark Andrews
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Mark Andrews
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Larsen, Todd
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Osterweil, Eric
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Larsen, Todd
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Osterweil, Eric
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Jakob Schlyter
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Jim Schaad
- [dane] Feature creep for draft-ietf-dane-smime Paul Hoffman
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
- Re: [dane] Feature creep for draft-ietf-dane-smime Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Wiley, Glen
- Re: [dane] Feature creep for draft-ietf-dane-smime Tom Ritter
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Paul Wouters
- Re: [dane] Feature creep for draft-ietf-dane-smime Paul Wouters
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
- Re: [dane] Feature creep for draft-ietf-dane-smime Viktor Dukhovni
- Re: [dane] Feature creep for draft-ietf-dane-smime Paul Hoffman
- Re: [dane] Feature creep for draft-ietf-dane-smime Viktor Dukhovni
- Re: [dane] Feature creep for draft-ietf-dane-smime John Levine
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Paul Wouters
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-smime-03.t… Viktor Dukhovni
- Re: [dane] Feature creep for draft-ietf-dane-smime Osterweil, Eric
- Re: [dane] Feature creep for draft-ietf-dane-smime Viktor Dukhovni
- Re: [dane] Feature creep for draft-ietf-dane-smime Warren Kumari
- Re: [dane] draft-ietf-dane-smime and certificate … Wes Hardaker