IETF Logo Mail Archive

Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey - *please* review.

Paul Wouters <paul@nohats.ca> Sat, 21 February 2015 20:54 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11BF01A0013 for <dane@ietfa.amsl.com>; Sat, 21 Feb 2015 12:54:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qM3w2LjdO0S3 for <dane@ietfa.amsl.com>; Sat, 21 Feb 2015 12:54:26 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E9091A0010 for <dane@ietf.org>; Sat, 21 Feb 2015 12:54:26 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3kqMN10cmpzB5Q for <dane@ietf.org>; Sat, 21 Feb 2015 21:54:25 +0100 (CET)
Authentication-Results: mx.nohats.ca; dkim=pass reason="1024-bit key; unprotected key" header.d=nohats.ca header.i=@nohats.ca header.b=ICxWEhIm; dkim-adsp=pass
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id cYpNJ_YbrtwT for <dane@ietf.org>; Sat, 21 Feb 2015 21:54:23 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dane@ietf.org>; Sat, 21 Feb 2015 21:54:23 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id B53BF80416 for <dane@ietf.org>; Sat, 21 Feb 2015 15:54:22 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1424552062; bh=w3RNfzmraEna6Y81O2B6zTypJR9yrlX1JETrErJcmzQ=; h=Date:From:To:Subject:In-Reply-To:References; b=ICxWEhIm9a2kbkwJ1Iz5abrUNiob8x9PVFmbTwEVHnCVY46MB9Kj+K0yePTqehoON /gEiMBJJpHaqXSXkUpAxfY/BymsjwSNwGjOfqI4rO6uY36EMLrpsRPM+eKgtjbirY/ LwrfO5g/vRtPEuvsCJzWafvAdlXq9SJvUHqXd0SM=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id t1LKsMab007917 for <dane@ietf.org>; Sat, 21 Feb 2015 15:54:22 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Sat, 21 Feb 2015 15:54:22 -0500
From: Paul Wouters <paul@nohats.ca>
To: dane@ietf.org
In-Reply-To: <20150221022330.GN1260@mournblade.imrryr.org>
Message-ID: <alpine.LFD.2.10.1502211547040.4576@bofh.nohats.ca>
References: <CAHw9_iJPuG23Aok7V_wcAMirua_DPDLHy01tnd+DaUqEeK3NZA@mail.gmail.com> <20150221022330.GN1260@mournblade.imrryr.org>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/O1-vWYaal6271G81CCSfTdkmOp4>
Subject: Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey - *please* review.
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Feb 2015 20:54:28 -0000

On Sat, 21 Feb 2015, Viktor Dukhovni wrote:

> Comments:
>
> * The below does not mention the hex encoding of the digest.  Compare with SMIMEA:

Thanks. Fixed for -02.

> * Grammar nit replace "its" with "their" or rephrase:

Fixed for -02.

> * Forward security vouching for long-term keys
>
>    There's a typo in the first word of the highlighted paragraph:

> 	   Therefor, an OpenPGP key obtained via an OPENPGPKEY

Fixed Therefor -> Therefore.

> 	   verification of the "Web of Trust".  See [OPENPGPKEY-USAGE]
> 	   for more in-depth information on safe usage of OPENPGPKEY
> 	   based OpenPGP keys.
>
>    An complementary approach is to not use the retrieved OpenPGP
>    key beyond the signature lifetime of the OPENPGPKEY RRset RRSIG
>    record.  Keys obtained from DNS should be refreshed as often
>    as is practical (ideally before encrypting each message) and
>    never used beyond the RRSIG lifetime.  Were the RRSIG in question
>    signed by an attacker, only messages signed before the key is
>    refreshed are compromised.  Of course this requires that PGP
>    user agent software track the provenance and cache lifetime of
>    keys obtained via DNS.

I would like that discussion to go into the OPENPGPKEY-USAGE document.

> * Encoding tools:
>
> 	Appendix A.  Generating OPENPGPKEY records
>
> 	   gpg --export --export-options export-minimal \
> 	       hugh@example.com | base64
>
>  the "openssl base64" command is an alternative on many other platforms.

What is more widespread? coreutils or openssl ?

>  Later the examples don't yet use the newly allocated TYPE61:

Well spotted :) Fixed.

>  the type should of course now be TYPE61.  May as well give a
>  recipe for generating "SHA2-224(hugh)":
>
>       printf "%s" hugh |
> 	   openssl dgst -sha224 -binary |
> 	   hexdump -ve '/1 "%.2x"' -e '/28 "\n"'

Sure. But what is more common, coreutils or openssl :)

Paul

v2.23.0 | Report a Bug | By Email