[dane] draft-ietf-dane-smime and certificate discovery

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 05 February 2014 21:06 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id EFAB91A020A for <dane@ietfa.amsl.com>; Wed, 5 Feb 2014 13:06:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id vRpjdZshw7sG for <dane@ietfa.amsl.com>; Wed, 5 Feb 2014 13:06:18 -0800 (PST)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 817771A01FC for <dane@ietf.org>; Wed, 5 Feb 2014 13:06:18 -0800 (PST)
Received: from [] (sn80.proper.com []) (authenticated bits=0) by hoffman.proper.com (8.14.7/8.14.7) with ESMTP id s15KkDMe035145 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 5 Feb 2014 13:46:15 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host sn80.proper.com [] claimed to be []
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <5DEFF47F-6533-4F1B-8D23-216108989787@verisign.com>
Date: Wed, 5 Feb 2014 13:06:15 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <03FF6C3C-0542-4D0F-97D5-1785F55D2CEF@vpnc.org>
References: <20140106212911.12960.24322.idtracker@ietfa.amsl.com> <A1C41700-578C-45C1-9A66-ACC051970F47@gmail.com> <5DEFF47F-6533-4F1B-8D23-216108989787@verisign.com>
To: Eric Osterweil <eosterweil@verisign.com>
X-Mailer: Apple Mail (2.1827)
Cc: "<dane@ietf.org>" <dane@ietf.org>
Subject: [dane] draft-ietf-dane-smime and certificate discovery
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 21:06:20 -0000

On Feb 5, 2014, at 7:17 AM, Osterweil, Eric <eosterweil@verisign.com> wrote:

> Specifically, DANE is (imho) excellent example of a standard architecture for certificate discovery using DNS.  

As has been noted in many places over the past few decades, using the DNS for information deliver vs. information discover are very different things. Jakob and I have chosen to go with the standard assumption that the DNS is for information delivery, and other protocols (these days, mostly HTTP) can be used for information discovery.

If the DANE WG wants to change this, and the IETF at large agrees, we can certainly walk down that path, both with this document and with TLSA itself.

--Paul Hoffman