Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt

Viktor Dukhovni <viktor1dane@dukhovni.org> Thu, 06 February 2014 02:32 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 716C21A0277 for <dane@ietfa.amsl.com>; Wed, 5 Feb 2014 18:32:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P2ZFnhOsJPpo for <dane@ietfa.amsl.com>; Wed, 5 Feb 2014 18:32:35 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 923011A0207 for <dane@ietf.org>; Wed, 5 Feb 2014 18:32:35 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 94D0F2AB20D; Thu, 6 Feb 2014 02:32:34 +0000 (UTC)
Date: Thu, 6 Feb 2014 02:32:34 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140206023234.GS278@mournblade.imrryr.org>
References: <20140106212911.12960.24322.idtracker@ietfa.amsl.com> <A1C41700-578C-45C1-9A66-ACC051970F47@gmail.com> <58D91468-4295-4AEB-A5F4-3C796CBF047A@vpnc.org> <20140205210516.GN278@mournblade.imrryr.org> <24074206-D8A9-48FE-AE80-46E8C21E684A@verisign.com> <20140205232336.GO278@mournblade.imrryr.org> <19493552-CDFD-44D6-866A-74B3305073F1@verisign.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <19493552-CDFD-44D6-866A-74B3305073F1@verisign.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 02:32:37 -0000

On Thu, Feb 06, 2014 at 02:20:47AM +0000, Osterweil, Eric wrote:

> > I don't see any reason to de-authorize by publishing a blacklist,
> > when one can just simply stop publishing the record or replace a
> > TA record with an EE record.
> 
> Well, what about if I run a mail domain, I issue usage type 3
> certs, I don't want to run a CRL or OCSP service, and I want to
> remove a user account from my domain?

An EE cert per user is fine.  Just remove the EE cert in question
from the list of certificates associated with the user.  The
certificate is then no longer valid for signing new mail or
for encrypting new mail addressed to the user.

You're getting at a basic semantic question.  Does an SMIMEA record
publish ALL presently valid certificates for a user (a white-list
that fails closed, so blacklists are redundant), or only SOME of
the valid certificates, in which case one might conceivably want
explicit revocation...  My vote is for ALL.

-- 
	Viktor.