Re: [dane] FYI: New Version Notification for draft-hoffman-dane-smime-04.txt
"Jim Schaad" <ietf@augustcellars.com> Tue, 11 September 2012 05:04 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3AB621F85EA for <dane@ietfa.amsl.com>; Mon, 10 Sep 2012 22:04:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.499
X-Spam-Level:
X-Spam-Status: No, score=-3.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qeWRSKS2v1Qf for <dane@ietfa.amsl.com>; Mon, 10 Sep 2012 22:04:46 -0700 (PDT)
Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) by ietfa.amsl.com (Postfix) with ESMTP id AA3F321F85B8 for <dane@ietf.org>; Mon, 10 Sep 2012 22:04:46 -0700 (PDT)
Received: from Tobias (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id CB9F238EA5; Mon, 10 Sep 2012 22:04:45 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: 'Jakob Schlyter' <jakob@kirei.se>, 'IETF DANE WG list' <dane@ietf.org>
References: <20120908161345.32470.87669.idtracker@ietfa.amsl.com> <577789DE-4A22-48D3-ACBE-8297B6C1DBCE@kirei.se>
In-Reply-To: <577789DE-4A22-48D3-ACBE-8297B6C1DBCE@kirei.se>
Date: Mon, 10 Sep 2012 22:03:21 -0700
Message-ID: <046d01cd8fda$c5670d00$50352700$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQG8NZDUnukvMfDekkDNtxUX+Lj1cwEyVOAsl52t62A=
Content-Language: en-us
Subject: Re: [dane] FYI: New Version Notification for draft-hoffman-dane-smime-04.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Sep 2012 05:04:48 -0000
Before I do a detailed review of the document, I have a question about the problem that this document is trying to solve. I can see three different problems that one could try and solve with this document. 1. I have been given a certificate. That certificate contains an email address. I want establish that I should trust the certificate. 2. I have been given a certificate. I have gotten an email address from the email message, but there is no email address in the certificate. I want to establish that I should trust the certificate. Additionally, I may want to establish that the certificate has a binding with the email address. 3. I have an email address. I need to a) find a certificate for the email address (either for encryption or because the signed message did not have a certificate in it) and b) establish that I should trust the certificate. Given the current document, I believe that I can do problem #1. The population code will be able to map the email address in the certificate to the correct DNS name and the client will be able to do the lookup using the same process. The DNS could have different names for different capitalizations based on what is in the certificate. No problems. Problem #2 is harder. If the email address is capitalized correctly, then I can find the certificate, but depending on what is in the DNS record, I may or may not be able to establish that the certificate and the email address should be bound together. The capitalization issue could be addressed by the DNS populator, depending on what the local mail server does, by creating a record for every possible capitalization if the local mail server will do case folding. This is not needed if the local mail server does not do case folding of mailbox names. For messages coming from a user, it might be sufficient to assume that they are going to put the correct capitalization in the email message itself if folding is not done by the mail server. This may not be the case if folding is done by the mail server. Problem #3 is almost impossible. It would require that only end-entity certificate be listed, and this would mean that either it would be directly trusted or one would need to have both an EE certificate and a trust anchor listed in the DNS entry. The capitalization issue would need to be addressed as in the previous paragraph, but is harder given that the sender may have never seen the mailbox name for the recipient and may be guessing at what the string should be if the DNS namespace is not over-populated. Jim > -----Original Message----- > From: dane-bounces@ietf.org [mailto:dane-bounces@ietf.org] On Behalf Of > Jakob Schlyter > Sent: Monday, September 10, 2012 1:15 PM > To: IETF DANE WG list > Subject: [dane] FYI: New Version Notification for draft-hoffman-dane- > smime-04.txt > > FYI, we've made a last-minute update to the DANE S/MIME draft based on > the input from the list. > If the WG would like to adopt this draft (which we hope it will), we'd be > happy to continue as editors. > > Chairs: Will the WG meet in Atlanta? > > > Jakob & Paul > > > Begin forwarded message: > > > From: internet-drafts@ietf.org > > Subject: New Version Notification for draft-hoffman-dane-smime-04.txt > > Date: 8 september 2012 18:13:45 CEST > > To: paul.hoffman@vpnc.org > > Cc: jakob@kirei.se > > > > > > A new version of I-D, draft-hoffman-dane-smime-04.txt has been > > successfully submitted by Paul Hoffman and posted to the IETF > > repository. > > > > Filename: draft-hoffman-dane-smime > > Revision: 04 > > Title: Using Secure DNS to Associate Certificates with Domain > Names For S/MIME > > Creation date: 2012-09-06 > > WG ID: Individual Submission > > Number of pages: 6 > > URL: http://www.ietf.org/internet-drafts/draft-hoffman-dane- > smime-04.txt > > Status: http://datatracker.ietf.org/doc/draft-hoffman-dane-smime > > Htmlized: http://tools.ietf.org/html/draft-hoffman-dane-smime-04 > > Diff: http://www.ietf.org/rfcdiff?url2=draft-hoffman-dane-smime-04 > > > > Abstract: > > This document describes how to use secure DNS to associate an S/MIME > > user's certificate with the intended domain name, similar to the way > > that DANE (RFC 6698) does for TLS. > > > > > > > > > > The IETF Secretariat > > > > -- > Jakob Schlyter > Kirei AB - http://www.kirei.se/ > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane
- [dane] FYI: New Version Notification for draft-ho… Jakob Schlyter
- Re: [dane] FYI: New Version Notification for draf… James Cloos
- Re: [dane] FYI: New Version Notification for draf… Paul Hoffman
- Re: [dane] FYI: New Version Notification for draf… Jim Schaad
- Re: [dane] FYI: New Version Notification for draf… Tony Finch
- Re: [dane] FYI: New Version Notification for draf… Jakob Schlyter
- Re: [dane] FYI: New Version Notification for draf… Nicholas Weaver
- Re: [dane] FYI: New Version Notification for draf… Jim Schaad
- Re: [dane] FYI: New Version Notification for draf… Martin Pels
- Re: [dane] FYI: New Version Notification for draf… Jakob Schlyter
- Re: [dane] FYI: New Version Notification for draf… Paul Hoffman
- Re: [dane] FYI: New Version Notification for draf… Jim Schaad