Re: [dane] draft-ietf-dane-smime

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 02 October 2014 22:46 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1735D1ACEB8 for <dane@ietfa.amsl.com>; Thu, 2 Oct 2014 15:46:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x-fE0ayV-huZ for <dane@ietfa.amsl.com>; Thu, 2 Oct 2014 15:46:50 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 669041ACED9 for <dane@ietf.org>; Thu, 2 Oct 2014 15:46:50 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 6CF9A2AB2D6; Thu, 2 Oct 2014 22:46:48 +0000 (UTC)
Date: Thu, 2 Oct 2014 22:46:48 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141002224648.GO13254@mournblade.imrryr.org>
References: <273F9612-13AF-4CB8-B15C-912AAD04C738@verisign.com> <CF875C06-E4DA-4DCA-A722-5FDEE04B3069@vpnc.org> <CAMaMmn=pD--mUM2oEHMWmQ7WuO_ReCZQRfTKgVpHtoXyBxj8zQ@mail.gmail.com> <F85169F2-8263-443B-BBCC-5BA9AE2EE8E4@kirei.se> <CAMaMmnn4zJRW+bsEmU61QBQ4TeqZnUSj1ZEsbt624tcfV=Xsmg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAMaMmnn4zJRW+bsEmU61QBQ4TeqZnUSj1ZEsbt624tcfV=Xsmg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/DIugnyNuOo1Dp5J5MWmdcEyxq9U
Subject: Re: [dane] draft-ietf-dane-smime
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Oct 2014 22:46:52 -0000

On Thu, Oct 02, 2014 at 05:05:14PM -0400, Doug Montgomery wrote:

> And how is that definitively distinguishable from that email identity never
> having a CERT in DANE in the first place?

It is not, but identities can have multiple associated certificates,
and in fact need to do so during key rotation.  The proposal seems
to suggest a revocation of the "identity" rather than a particular
key and this seems to be operating at the wrong granularity.

Ignoring everything but the CU with usage 4 eliminates the option
of revoking key "A" while publishing a replacement key "B".

Explicit revocation is not a good idea in DANE, the DNS publishes
a sufficiently current state of the world, not a stale assertion
with a one year TTL.  It is I think a mistake to ask where the
handbrake goes on a boat, when one happens to be more familiar with
cars.

In any case if CU=4 is to be a DANE revocation record, it should
have a meaningful selector, matching type and association data.
It shold be an explicit revocation of just the matching certificate
or public key (whether it be associated with a trust-anchor or an
end-entity).

-- 
	Viktor.