Re: [dane] Improving DANE S/MIME Privacy

Phil Pennock <> Thu, 13 April 2017 03:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8CDEB126C3D for <>; Wed, 12 Apr 2017 20:59:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1248-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2nS6WNpDvTiW for <>; Wed, 12 Apr 2017 20:59:07 -0700 (PDT)
Received: from ( [IPv6:2a02:898:31:0:48:4558:736d:7470]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 288E3124D37 for <>; Wed, 12 Apr 2017 20:59:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=d201702; h=In-Reply-To:Content-Type:MIME-Version:References :Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=HvUHINjvvhanOIfosgNvhI15Yx1Yio9SGeWQOyU9TMo=; b=oQ4QjDFiKR9C5s9jxD33qHm1MS cd/sYu+hv/VkgrrESFT7q2ljbSCPSujLJFEJRjnF0x6CB1EapVA6o1RK5uTxCjdM8S6j3oQD+Z+vd yV18BXuaNZUyiY5+ztxzMom225L4AjH/0hTTuQvieW/AhTjpaShJNvy/2/oRh2Csr1DRJV+MwBiAl puZtuD7LCjRMd4qQ1RjlLWdcRn49;
Received: from authenticated user by with esmtpa id 1cyVuS-0006qR-4S; Thu, 13 Apr 2017 03:59:04 +0000
Date: Thu, 13 Apr 2017 03:59:03 +0000
From: Phil Pennock <>
To: IETF DANE Mailinglist <>
Message-ID: <>
Mail-Followup-To: IETF DANE Mailinglist <>,
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
OpenPGP: url=
Archived-At: <>
Subject: Re: [dane] Improving DANE S/MIME Privacy
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 Apr 2017 03:59:08 -0000

On 2017-04-11 at 14:39 -0400, Viktor Dukhovni wrote:
> > On Apr 11, 2017, at 1:38 PM, Viktor Dukhovni <> wrote:
> > 
> > If the design were up to me, I'd not have published per-user keys.
> > Instead a site-wide trust-anchor record scales better to large user
> > communities, and mostly addresses your concerns.
> I should note that one can of course implement one's SMIMEA deployment
> in exactly this way, something along the lines of:
>    * IN SMIMEA 2 1 1 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
> would associate the same TA public key digest with every user, and would
> not enable user enumeration.

FWIW, I did something similar to this.  Of course, there's a chicken/egg
problem in _getting_ the CA cert for private CAs, unless you put the
whole cert into DNS.  And wildcards for something that large would be
cache-unpleasant, but I did the same thing I do for TLSA records: define
one SMIMEA record and CNAME to it elsewhere.  Much more cache friendly.

I never thought I'd see the day that I willingly chose to deploy a
wildcard CNAME.   :^D

*._smimecert            CNAME   _globnix-smimea
_globnix-smimea         SMIMEA  (       ; GlobnixCA5 PKIX-less trust anchor
        02 00 00
; SKIP: binary blob for an ECDSA CA

I can't attest that this _works_.  As far as I know, it's entirely
draft-spec compliant.

If anyone has tooling which actually _uses_ SMIMEA, I'm happy to send
you a test mail, or be given pointers to how to try it out.  So far, I
have an SMIME setup to theoretically let others verify mail I send, and
that's it.