Re: [dane] draft-ietf-dane-smime

"Osterweil, Eric" <> Mon, 20 October 2014 16:08 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CE5F21A1BDE for <>; Mon, 20 Oct 2014 09:08:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id x__vBb33EK5K for <>; Mon, 20 Oct 2014 09:08:21 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4750B1A0369 for <>; Mon, 20 Oct 2014 09:06:58 -0700 (PDT)
Received: from ([]) (using TLSv1) by ([]) with SMTP ID; Mon, 20 Oct 2014 09:06:59 PDT
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id s9KG6ura005347 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 20 Oct 2014 12:06:57 -0400
Received: from ([::1]) by ([::1]) with mapi id 14.03.0174.001; Mon, 20 Oct 2014 12:06:56 -0400
From: "Osterweil, Eric" <>
To: Paul Hoffman <>
Thread-Topic: [dane] draft-ietf-dane-smime
Thread-Index: AQHP2+CXduy9obN06UaH3lWvHXXI5ZwabJwAgBgn4ICAAikmgIAEwWkAgAAIngCAAANjAA==
Date: Mon, 20 Oct 2014 16:06:56 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<>" <>
Subject: Re: [dane] draft-ietf-dane-smime
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Oct 2014 16:08:24 -0000

On Oct 20, 2014, at 11:54 AM, Paul Hoffman <> wrote:

> On Oct 20, 2014, at 8:23 AM, Osterweil, Eric <> wrote:
>> TLS and S/MIME use pretty different security models (session vs. object security)
> Sure, but how is that difference relevant here? DANE is about distributing certificates and keying information through DNS: it is agnostic to the security model.

The relevant information needed during distribution would seem to vary based on the security model (as evidenced by this thread).  Actually, that’s been one of the main points of this thread.

>> , so necessarily coupling the RRs doesn’t seem to make sense.  
> It has so far in the WG. The WG asked us early on to make as few changes as possible to the TLSA definition.

Paul, we are all part of the working group.  This is the the working group.  I feel like I must be missing some nuanced distinction you have in mind between working group discussions (like this one) and some other arbitration?

>> In addition, to echo what others have already said on the list, I really don’t think it is reasonable to gate updates to the SMIMEA proposal on updating TLSA.
> Fully agree, and that's not what I was proposing. The two changes that you have proposed (revocation indication and alternate sources for getting the information)

Paul, these were not my proposals.  These were proposed by Scott Rose.  I saw merit in them and when they seemed to be dismissed out of hand I voiced my support.  Also, the proposal included the _encr + _sign labels.

> can be done as new values to the existing RR subfields. Doing so would make what you want usable for both SMIMEA and TLSA. Proposals to make those changes can trivially be done as stand-alone Internet Drafts.

But we are still roughing out this draft.  This would seem to be a good opportunity to try and get things write in the initial work.

>>> A better process would be for the proponents to offer a standalone draft for the idea that will be an extension that would be usable to both TLSA and SMIMEA and any other documents that come later.
>> Just by looking at the list, it seems like there are a number of voices that disagree with you on this.  
> Where "a number" means "two", and even they didn't actually disagree about creating standalone drafts, simply that the assumption that the use cases might be different.

I think this thread is devolving.  The number is greater than two, and reviewing the posts of this thread should corroborate the higher level of interest.

>> Also, isn’t the SMIMEA work still an evolving draft?  
> Yes, of course.
>> What else does one need besides: articulated rationale, proposed requirements, operational data, suggested text, and running code from multiple people in order to support suggested revisions?  
> Consensus in the WG. That may seem anathema to you, but it's the way that the IETF works.

Paul, what constituted ``the WG’’ in your mind?