Re: [dane] draft-wouters-dane-openpgp-01 review

Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 06 January 2014 20:41 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F33B61AE211 for <dane@ietfa.amsl.com>; Mon, 6 Jan 2014 12:41:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I8UoA_HnLoOo for <dane@ietfa.amsl.com>; Mon, 6 Jan 2014 12:41:06 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 0ECAB1AE20F for <dane@ietf.org>; Mon, 6 Jan 2014 12:41:05 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 4C3E22AB191; Mon, 6 Jan 2014 20:40:56 +0000 (UTC)
Date: Mon, 6 Jan 2014 20:40:56 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140106204056.GQ2317@mournblade.imrryr.org>
References: <E05CBC7F-1B37-49A0-9E27-D2B52BFA48A9@ogud.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <E05CBC7F-1B37-49A0-9E27-D2B52BFA48A9@ogud.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] draft-wouters-dane-openpgp-01 review
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jan 2014 20:41:08 -0000

On Mon, Jan 06, 2014 at 01:25:24PM -0500, Olafur Gudmundsson wrote:

> Section 3 says: "If an an OPENPGPKEY RR contains an expired OpenPGP
>    public key, it MUST NOT be used for encryption." 
> 
> Suggest: "SHOULD" instead 

Why should "expired" keys not be used?  So long as the RRSIG on
the OPENPGPKEY record is not expired, the key is not "expired".
If none of the key metadata is authenticated independently from
DNSSEC, we only learn an expiration date modulo the validity of
the DNSSEC identity to key binding and if we trust that, why not
trust the key?  If the key is really expired, it should be replaced
in DNS.

-- 
	Viktor.