IETF Logo Mail Archive

Re: [dane] Reusing TLSA

Tony Finch <dot@dotat.at> Mon, 24 September 2012 23:32 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAC941F0C3A for <dane@ietfa.amsl.com>; Mon, 24 Sep 2012 16:32:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.05
X-Spam-Level:
X-Spam-Status: No, score=-6.05 tagged_above=-999 required=5 tests=[AWL=0.549, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pt0pxjXt8Bno for <dane@ietfa.amsl.com>; Mon, 24 Sep 2012 16:32:25 -0700 (PDT)
Received: from ppsw-51.csi.cam.ac.uk (ppsw-51.csi.cam.ac.uk [131.111.8.151]) by ietfa.amsl.com (Postfix) with ESMTP id 02B7C1F041D for <dane@ietf.org>; Mon, 24 Sep 2012 16:32:24 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:35339) by ppsw-51.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.158]:25) with esmtpa (EXTERNAL:fanf2) id 1TGI8U-0000SR-Y6 (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 25 Sep 2012 00:32:22 +0100
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1TGI8U-00074Z-Hg (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 25 Sep 2012 00:32:22 +0100
Date: Tue, 25 Sep 2012 00:32:22 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <50609A03.1050507@ogud.com>
Message-ID: <alpine.LSU.2.00.1209250026150.14585@hermes-1.csi.cam.ac.uk>
References: <FE6C9DF2-E86E-4CEF-A537-D68C5952B602@vpnc.org> <50609A03.1050507@ogud.com>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: dane@ietf.org
Subject: Re: [dane] Reusing TLSA
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2012 23:32:26 -0000

Olafur Gudmundsson <ogud@ogud.com> wrote:
>
> There are are two parts to TLSA reuse.
>
> 1) the RDATA format
> 2) The registries created for TLSA RR fields.
> 	a) TLSA Certificate Usages
> 	b) TLSA Selectors
> 	c) TLSA Matching Types

There are a few other semantics-related questions:

* Would sharing an RRtype lead to the DNS returning too much irrelevant
data in response to queries? In this case not, because we are using
prefixed labels to disambiguate.

* Would sharing an RRtype lead to useful code sharing between S/MIME and
TLS implementations?

> Reuse of TLSA RR by a protocol means subscribing to supporting new
> entries in the above registries and even allowing new entries in there
> that only make sense in one context.

TLS is about authenticating peers. S/MIME is about encryption as well as
verifying signatures. So I would expect TLS records to be more about
digests of certificates (for brevity) whereas S/MIME records to contain
public keys or entire certs.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

v2.23.0 | Report a Bug | By Email