Re: [dane] I-D Action: draft-ietf-dane-openpgpkey-usage-01.txt
Pieter Lexis <pieter.lexis@powerdns.com> Fri, 13 March 2015 14:32 UTC
Return-Path: <pieter.lexis@powerdns.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B5D81A0A6A for <dane@ietfa.amsl.com>; Fri, 13 Mar 2015 07:32:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_15=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wSjTWn6tsh0E for <dane@ietfa.amsl.com>; Fri, 13 Mar 2015 07:32:27 -0700 (PDT)
Received: from mango.plexis.eu (mango.plexis.eu [77.72.150.82]) by ietfa.amsl.com (Postfix) with ESMTP id 227CE1A026F for <dane@ietf.org>; Fri, 13 Mar 2015 07:32:25 -0700 (PDT)
Received: from aardbei.mobile.plexis.eu (132-22-159-88.business.edutel.nl [88.159.22.132]) by mango.plexis.eu (Postfix) with ESMTPSA id 8B49C5F for <dane@ietf.org>; Fri, 13 Mar 2015 15:32:24 +0100 (CET)
Message-ID: <5502F4F8.1000906@powerdns.com>
Date: Fri, 13 Mar 2015 15:32:24 +0100
From: Pieter Lexis <pieter.lexis@powerdns.com>
Organization: PowerDNS
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: dane@ietf.org
References: <20141027233634.2254.98590.idtracker@ietfa.amsl.com>
In-Reply-To: <20141027233634.2254.98590.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/O0UOu5mJHo4t4j788J22vwRo_kQ>
Subject: Re: [dane] I-D Action: draft-ietf-dane-openpgpkey-usage-01.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2015 14:32:31 -0000
Hi folks, I've read this draft (and not my dane@iets.org backlog, so dead horses may be beaten) and have some comments on it. On 10/28/2014 12:36 AM, internet-drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the DNS-based Authentication of Named Entities Working Group of the IETF. > > Title : Best Common Practise for using OPENPGPKEY records > Author : Paul Wouters > Filename : draft-ietf-dane-openpgpkey-usage-01.txt > Pages : 8 > Date : 2014-10-27 General remarks: Make it clear early in the document that OPENPGPKEY records are only valid for their TTL and never permanent but they MAY function to validate the local public keyring. Also, nowhere in this draft there is any mention if (and if so, under what conditions) keys obtained from the DNS may be added to the local keyring. Abstract: This document aims to be a Best Current Practice (in this document also referred to to Best Common Practice). But at the moment there is no common practice (or even a current practice ;-)), so this nomenclature is a bit off. I'd suggest dropping the C{ommon,urrent}. 1. Introduction - Broken x-ref - Singular and plural use of MTA and MUA, pick one. 2. The OPENPGPKEY record presence - Could use some more information on the threat model we're protecting against. Like the end-to-end nature of this solution vs transport security, or just a reference to section 4 of this document. 3. OpenPGP public key considerations - This should refer to later sections on what to do with keys obtained from the DNS. 3.3 Public Key UIDs and synthesized DNS records - CNAME's and DNAME's looks clunky, "CNAME and DNAME records" looks better imo. 3.4 OpenPGP Key size and DNS - s/DNS Resoruce/DNS Resource/ - Refer to draft-ietf-dane-openpgp section 4, and optionally expand as this is almost a copy-paste. 4. Security Considerations - s/twart/thwart/ - The terms MUA and MTA are used before in section 1, no need to explain/un-acronym them here (do it in section 1) 4.1. Email address information leak - Pretends that dictionary attack against a zone (even with NSEC3) has the same difficulty as against SMTP 4.2. OpenPGP security and DNSSEC - (and other sections) appear to be partially duplicated from the openpgpkey draft. Should refer to these sections and expand on them - s/twart/thwart/ 4.3. MTA behaviour - s/bogus/Bogus/; s/indeterminate/Indeterminate/ (to match terminology from 4035 4.3) - "the MTA MUST NOT sent the message and queue the plaintext message for delivery at a later time” is unclear - should it or should it not queue the plaintext message? - s/sent/send/ - Whether or not encrypt with both keys is also 'just' part of the local policy 4.4. MUA behaviour - "contradicting properties" is somewhat broad, needs examples/expansion. 4.5. Email client behaviour - Needs some information on adding the key to the local keyring and what the trust implication is. -- Pieter Lexis
- [dane] I-D Action: draft-ietf-dane-openpgpkey-usa… internet-drafts
- Re: [dane] I-D Action: draft-ietf-dane-openpgpkey… Pieter Lexis