Re: [dane] draft-ietf-dane-smime

Jakob Schlyter <jakob@kirei.se> Thu, 02 October 2014 21:00 UTC

Return-Path: <jakob@kirei.se>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEE991ACD78 for <dane@ietfa.amsl.com>; Thu, 2 Oct 2014 14:00:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.437
X-Spam-Level:
X-Spam-Status: No, score=-2.437 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KOXf1p5AleuF for <dane@ietfa.amsl.com>; Thu, 2 Oct 2014 14:00:50 -0700 (PDT)
Received: from spg.kirei.se (spg.kirei.se [IPv6:2001:67c:394:15::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 065961ACD6A for <dane@ietf.org>; Thu, 2 Oct 2014 14:00:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kirei.se; s=spg20100524; h=received:content-type:mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to:x-mailer; bh=6Ds+GQUL2EYbVJypKBqEeh42Jq9dzo6KVxz4/HusOBQ=; b=DXgZLvcv7nlz0zs0k8ZLbDAiVZJntFLQrN1ZsBOwqsfJvpkBLrl3DhBNFD1ORytlU7W2LsxLn3wjN SjtV8+PkN9cmGX3/aL8oJOX7l2MmPTnrMVFYLGHXIndySLcHBreoWzIFm28rklFBT4ljPwDYmYbyqV vDiPwSxnJa7qu7sY=
Received: from mail.kirei.se (unknown [91.206.174.10]) by spg-relay.kirei.se (Halon Mail Gateway) with ESMTPS; Thu, 2 Oct 2014 23:00:34 +0200 (CEST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Jakob Schlyter <jakob@kirei.se>
In-Reply-To: <CAMaMmn=pD--mUM2oEHMWmQ7WuO_ReCZQRfTKgVpHtoXyBxj8zQ@mail.gmail.com>
Date: Thu, 02 Oct 2014 23:00:39 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <F85169F2-8263-443B-BBCC-5BA9AE2EE8E4@kirei.se>
References: <273F9612-13AF-4CB8-B15C-912AAD04C738@verisign.com> <CF875C06-E4DA-4DCA-A722-5FDEE04B3069@vpnc.org> <CAMaMmn=pD--mUM2oEHMWmQ7WuO_ReCZQRfTKgVpHtoXyBxj8zQ@mail.gmail.com>
To: Doug Montgomery <dougm.work@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/B-qFEvloMfD8cqhKlThiK1aOuy4
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, dane WG list <dane@ietf.org>
Subject: Re: [dane] draft-ietf-dane-smime
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Oct 2014 21:00:54 -0000

On 2 okt 2014, at 22:56, Doug Montgomery <dougm.work@gmail.com> wrote:

> Having a scalable, simple, but definitive way to indicate that a previously valid email-identity/certificate is no longer valid within a given domain is a useful feature that doesn't seem to have an analog use case in TLS.

If you trust in DANE, and the certificate is no longer published in DNS, it is not valid - no revocation is needed.
If you do not trust in DANE, normal/legacy revocation procedures (OCSP/CRL) applies.

my 0.01€,

	jakob