Re: [dane] Reusing TLSA

Tony Finch <dot@dotat.at> Thu, 27 September 2012 09:04 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA3E021F84B5 for <dane@ietfa.amsl.com>; Thu, 27 Sep 2012 02:04:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.096
X-Spam-Level:
X-Spam-Status: No, score=-6.096 tagged_above=-999 required=5 tests=[AWL=0.503, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hkh9p2hZly5O for <dane@ietfa.amsl.com>; Thu, 27 Sep 2012 02:04:12 -0700 (PDT)
Received: from ppsw-50.csi.cam.ac.uk (ppsw-50.csi.cam.ac.uk [131.111.8.150]) by ietfa.amsl.com (Postfix) with ESMTP id 2BC5021F84B6 for <dane@ietf.org>; Thu, 27 Sep 2012 02:04:12 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:59541) by ppsw-50.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:25) with esmtpa (EXTERNAL:fanf2) id 1THA0v-0003A2-py (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 27 Sep 2012 10:04:09 +0100
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1THA0u-0008Pj-Px (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 27 Sep 2012 10:04:08 +0100
Date: Thu, 27 Sep 2012 10:04:08 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Dan York <dan-ietf@danyork.org>
In-Reply-To: <CBE06D6B-2022-4151-830C-AB43AF9CE5E8@danyork.org>
Message-ID: <alpine.LSU.2.00.1209271000260.1469@hermes-1.csi.cam.ac.uk>
References: <FE6C9DF2-E86E-4CEF-A537-D68C5952B602@vpnc.org> <50609A03.1050507@ogud.com> <alpine.LSU.2.00.1209250026150.14585@hermes-1.csi.cam.ac.uk> <57867BCC-8E8C-4F5A-9A83-0A31652CD71F@danyork.org> <2D645BD5-3501-4182-AB5B-035240F464AA@vpnc.org> <CABrd9STJu_U3Aw5MYjhbZ9Q4SpoM37yUVW5uqyk3aOZyoMvvTg@mail.gmail.com> <19800D41-820B-4256-8C41-0B6854A34AD3@vpnc.org> <CBE06D6B-2022-4151-830C-AB43AF9CE5E8@danyork.org>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="1870869256-2040472814-1348736648=:1469"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, IETF DANE WG list <dane@ietf.org>
Subject: Re: [dane] Reusing TLSA
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Sep 2012 09:04:13 -0000

Dan York <dan-ietf@danyork.org> wrote:
>
> My comments were reacting largely to Tony's comment about the content of the TLSA record:
>
> > TLS is about authenticating peers. S/MIME is about encryption as well as
> > verifying signatures. So I would expect TLS records to be more about>
> > digests of certificates (for brevity) whereas S/MIME records to
> > contain public keys or entire certs.
>
> To me it just seemed that there could be app developer confusion if in
> the one case the TLSA record is a digest of a certificate and in another
> case the TLSA record might be a full certificate.
>
> Having said that, I've now gone back and re-read RFC 6698 and seen
> clearly that this is all covered with the Matching Type field in section
> 2.1.3 and so any "DANE implementation" needs to be able to understand
> both the digest and the full certificate.
>
> So consider my comments withdrawn.... and thanks for the replies that
> forced me to deepen my understanding of the DANE protocol. :-)

I think I agree with Dan. My comments were meant to be thinking out loud
rather than objections as such - just trying to enumerate what the
differences might be between TLSA and SMIMEA, in usage and semantics if
not syntax.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.