Re: [dane] draft-wouters-dane-openpgp-01 review
Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 06 January 2014 20:41 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F33B61AE211 for <dane@ietfa.amsl.com>; Mon, 6 Jan 2014 12:41:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I8UoA_HnLoOo for <dane@ietfa.amsl.com>; Mon, 6 Jan 2014 12:41:06 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 0ECAB1AE20F for <dane@ietf.org>; Mon, 6 Jan 2014 12:41:05 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 4C3E22AB191; Mon, 6 Jan 2014 20:40:56 +0000 (UTC)
Date: Mon, 06 Jan 2014 20:40:56 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140106204056.GQ2317@mournblade.imrryr.org>
References: <E05CBC7F-1B37-49A0-9E27-D2B52BFA48A9@ogud.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <E05CBC7F-1B37-49A0-9E27-D2B52BFA48A9@ogud.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] draft-wouters-dane-openpgp-01 review
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jan 2014 20:41:08 -0000
On Mon, Jan 06, 2014 at 01:25:24PM -0500, Olafur Gudmundsson wrote: > Section 3 says: "If an an OPENPGPKEY RR contains an expired OpenPGP > public key, it MUST NOT be used for encryption." > > Suggest: "SHOULD" instead Why should "expired" keys not be used? So long as the RRSIG on the OPENPGPKEY record is not expired, the key is not "expired". If none of the key metadata is authenticated independently from DNSSEC, we only learn an expiration date modulo the validity of the DNSSEC identity to key binding and if we trust that, why not trust the key? If the key is really expired, it should be replaced in DNS. -- Viktor.
- [dane] draft-wouters-dane-openpgp-01 review Olafur Gudmundsson
- Re: [dane] draft-wouters-dane-openpgp-01 review Viktor Dukhovni
- Re: [dane] draft-wouters-dane-openpgp-01 review Mark Andrews
- Re: [dane] draft-wouters-dane-openpgp-01 review Paul Wouters
- Re: [dane] draft-wouters-dane-openpgp-01 review Paul Wouters
- Re: [dane] draft-wouters-dane-openpgp-01 review Mark Andrews
- Re: [dane] draft-wouters-dane-openpgp-01 review Viktor Dukhovni
- Re: [dane] draft-wouters-dane-openpgp-01 review Mark Andrews
- Re: [dane] draft-wouters-dane-openpgp-01 review Jelte Jansen
- Re: [dane] draft-wouters-dane-openpgp-01 review Scott Rose