IETF Logo Mail Archive

Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey - *please* review.

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 25 February 2015 19:15 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 972371A1BFE for <dane@ietfa.amsl.com>; Wed, 25 Feb 2015 11:15:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_47=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B-cgfXMcffY7 for <dane@ietfa.amsl.com>; Wed, 25 Feb 2015 11:15:01 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54EA61A6EE1 for <dane@ietf.org>; Wed, 25 Feb 2015 11:15:01 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 4004E282FCC; Wed, 25 Feb 2015 19:15:00 +0000 (UTC)
Date: Wed, 25 Feb 2015 19:15:00 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150225191500.GZ1260@mournblade.imrryr.org>
References: <001a01d04f19$b0292e90$107b8bb0$@augustcellars.com> <20150223035230.GD1260@mournblade.imrryr.org> <001b01d04f1c$f626c940$e2745bc0$@augustcellars.com> <20150223040833.GF1260@mournblade.imrryr.org> <CAHw9_iJ167aCbpW=Fni0h_vsWLcWQVLC1P7vkr6X0cmAV9zG=g@mail.gmail.com> <20150223225630.GO1260@mournblade.imrryr.org> <CAHw9_iKNwGBOqdLm04Lqox6ai5tzK1Q-WfkxY=Qvtx+uOG1Qpw@mail.gmail.com> <alpine.LFD.2.10.1502251246430.3004@bofh.nohats.ca> <20150225181322.GU1260@mournblade.imrryr.org> <alpine.LFD.2.10.1502251356430.6550@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.10.1502251356430.6550@bofh.nohats.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/Df2gNLUOWYDr-_DGi7BtK-hC9Dw>
Subject: Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey - *please* review.
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Feb 2015 19:15:02 -0000

On Wed, Feb 25, 2015 at 02:01:38PM -0500, Paul Wouters wrote:

> On Wed, 25 Feb 2015, Viktor Dukhovni wrote:
> 
> >Once the client is making two queries, why accept collisions?  Are
> >we (after all these years) finally defining RFC-822/2822/5322 local
> >parts to be case-insensitive?  (Price of progress and all that?)
> >
> >Is a CNAME per-user really a major burden?
> 
> It's not one CNAME, it is many CNAMEs. You'll be hashing paul, Paul
> paul.wouters, Paul.Wouters, etc. I'd be better of with a wilcard :P

One CNAME per case-insensitive name (if the preferred form is mixed
or upper case).  Those other names you're mentioning if they all
share the same underlying keys would be CNAMEs you'd have to create
with or without my proposal for a mechanism to publish case-insensitive
names.

> The client needs smart logic anyway, and the client at least has a user
> it can interact with. It can ask "A key for Paul@nohats.ca does not
> exist but there is a key for paul@nohats.ca".

Why ask the user, when the server can just publish the fact that
all upper/mixed-case veriants of "paul" are the same mailbox.

> Needing to roll out between 2 and 4 different capitalizations for
> different [Ff]irstname.[Ll]astname makes everything more errorprone
> and the client still needs its logic and user interaction.

The I don't how you get to "4".  You can publish exactly one owner
for each case-insensitive "LocalPart", no CNAMEs required if you
are willing to accept clients making two queries to find keys in
your domain (space/time trade-off):

	SHA2-224(localpart@lowercase) IN <RDATA>

Optionally, for faster queries, if the mailbox has a preferred
form:

	SHA2-224(LocalPart)		IN <RDATA>
	SHA2-224(localpart@lowercase)   IN CNAME SHA2-224(LocalPart)

If there's also a "Local.Part" and "local.part" to go with it, that
it is completely separate from my proposal which deals only with
handling case-insensitive matching.  The overhead of supporting
case-insensitive matching is at most a second (CNAME) record for
each record that would be there in the absence of the proposal.
	
-- 
	Viktor.

v2.23.0 | Report a Bug | By Email