Re: [dane] draft-ietf-dane-smime

Paul Hoffman <paul.hoffman@vpnc.org> Mon, 20 October 2014 16:02 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 042F01A03A5 for <dane@ietfa.amsl.com>; Mon, 20 Oct 2014 09:02:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.647
X-Spam-Level:
X-Spam-Status: No, score=-3.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ffTCVPUmECok for <dane@ietfa.amsl.com>; Mon, 20 Oct 2014 09:02:42 -0700 (PDT)
Received: from proper.com (Hoffman.Proper.COM [207.182.41.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C6CF1A1BB1 for <dane@ietf.org>; Mon, 20 Oct 2014 09:01:58 -0700 (PDT)
Received: from [10.20.30.90] (50-1-50-141.dsl.dynamic.fusionbroadband.com [50.1.50.141]) (authenticated bits=0) by proper.com (8.14.9/8.14.7) with ESMTP id s9KG1uNs083776 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 20 Oct 2014 09:01:57 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 50-1-50-141.dsl.dynamic.fusionbroadband.com [50.1.50.141] claimed to be [10.20.30.90]
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <B4AE1805-22D9-4E63-A18C-1EEC55C1C2E3@verisign.com>
Date: Mon, 20 Oct 2014 09:01:56 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <CDE423BF-1418-4714-BF9C-44FAF5502643@vpnc.org>
References: <273F9612-13AF-4CB8-B15C-912AAD04C738@verisign.com> <CF875C06-E4DA-4DCA-A722-5FDEE04B3069@vpnc.org> <67BDE5B6-58C7-4E0B-8CB4-045E51027D85@ieca.com> <E507FC56-947B-4A93-AA81-F0507D2FBC69@ogud.com> <62F1DB86-59B4-4165-9AEE-82A829B6A9A9@kirei.se> <20141017150448.GV20066@mournblade.imrryr.org> <B4AE1805-22D9-4E63-A18C-1EEC55C1C2E3@verisign.com>
To: Eric Osterweil <eosterweil@verisign.com>
X-Mailer: Apple Mail (2.1990.1)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/OSozZaWZz61DLk5PH3m6svmCmgY
Cc: "<dane@ietf.org>" <dane@ietf.org>
Subject: Re: [dane] draft-ietf-dane-smime
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 16:02:44 -0000

On Oct 20, 2014, at 8:24 AM, Osterweil, Eric <eosterweil@verisign.com> wrote:

> I think we are all on the same page, and perhaps the text was not clear enough?  

I'm with Jakob and Viktor: the text is ill-specified. You are inventing a new revocation mechanism without enough semantics for a relying party to use it in a concrete manner. You also don't say how to use your new revocation information when it conflicts with other revocation information for the same keying material, such as CRLs and OCSP staples for the same certificate.

> Maybe it's also possible there was some misunderstanding from the protracted email discussion?  The revocation discussion (IIRC) really had to do with an assertion that TLS did not have revocation needs.

Did anyone assert that? If so, please point it out. People asserted that revocation happens rarely for TLS certificates.

--Paul Hoffman