IETF Logo Mail Archive

Re: [dane] draft-ietf-dane-openpgpkey-00 comments

Mark Andrews <marka@isc.org> Wed, 23 April 2014 02:45 UTC

Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A96761A02C5 for <dane@ietfa.amsl.com>; Tue, 22 Apr 2014 19:45:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.173
X-Spam-Level:
X-Spam-Status: No, score=-2.173 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Duqk2xVRPmnk for <dane@ietfa.amsl.com>; Tue, 22 Apr 2014 19:45:35 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 3C6391A012A for <dane@ietf.org>; Tue, 22 Apr 2014 19:45:35 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 496B42383B1; Wed, 23 Apr 2014 02:45:16 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 770B1160056; Wed, 23 Apr 2014 02:47:53 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 4538616004A; Wed, 23 Apr 2014 02:47:53 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id DADFA143DC9F; Wed, 23 Apr 2014 12:45:11 +1000 (EST)
To: Paul Wouters <paul@nohats.ca>
From: Mark Andrews <marka@isc.org>
References: <20140410175623.1767.25701.idtracker@ietfa.amsl.com> <53562BA6.6010808@redhat.com> <53564F63.2010008@redhat.com> <m3d2g9dntz.fsf@carbon.jhcloos.org> <alpine.LFD.2.10.1404221827080.32654@bofh.nohats.ca> <20140422234112.7C239143C8CC@rock.dv.isc.org> <alpine.LFD.2.10.1404222138260.32149@bofh.nohats.ca>
In-reply-to: Your message of "Tue, 22 Apr 2014 21:44:43 -0400." <alpine.LFD.2.10.1404222138260.32149@bofh.nohats.ca>
Date: Wed, 23 Apr 2014 12:45:11 +1000
Message-Id: <20140423024511.DADFA143DC9F@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/R_odUiWK8yAAv84eT32BxYRWcaY
Cc: dane@ietf.org
Subject: Re: [dane] draft-ietf-dane-openpgpkey-00 comments
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 02:45:40 -0000

In message <alpine.LFD.2.10.1404222138260.32149@bofh.nohats.ca>, Paul Wouters writes:
> On Wed, 23 Apr 2014, Mark Andrews wrote:
> 
> >> CERT also uses sub-typing, so you might end up getting all kind of types
> >> of certificates (like a PKIX cert) that you don't want or need. Granted,
> >> the _openpgpkey. prefix would at least prevent the non-malicious
> >> contamination, but you might still get all kinds of weird stuff. From
> >> what I understood, sub-typing was what really killed the CERT record,
> >> and everyone since has been strongly urged to stay away from sub-typing,
> >> and told to use _prefix. instead.
> >
> > 	Then you have failed to understand RFC 5507.
> 
> Hmm, I read from RFC 5507"
> 
>     When storing data in the DNS for a new application, the goal must be
>     to store data in such a way that the application can query for the
>     data it wants, while minimizing both the impact on existing
>     applications and the amount of extra data transferred to the client.
>     This implies that a number of design choices have to be made, where
>     the most important is to ensure that a precise selection of what data
>     to return must be made already in the query.
> 
> To me that reads as "don't do sub-typing" because the query cannot
> request the single type it is interested it, and can only get the full
> list.
> 
> >> The CERT record also does not offer a nice presentation format for the
> >> zone file. The RFC states:
> >>
> >>        smith        IN CERT PGP 0 0 <OpenPGP binary>

> > 	CERT records have base64 as the presentation format of the
> > 	binary blob.
> 
> The line above here containing "smith" comes straight from that same
> RFC, so that's a little confusing then :P I did not read "<OpenPGP binary>"
> as "base64" :P
> 
> Maybe we should file an errata (if people cared about CERT)
> 
> Paul

As far as I can see you want a new type to save 5 bytes per record.
There is no need for a new type especially as you are using a prefix
to seperate usage.  CERT is quite capable of holding the data.

I can see some use in encoding local part as we don't want case
insensitve local parts.  We also don't want to be able to just list
out the PI data.  Additionally a prefix is useful for seperating
name spaces (people vs machines).  Standard mbox encoding (RFC 1034)
doesn't seperate the name spaces which has always been a problem.

I would recommend changing the draft to focus on why mbox is not a
good format for the DNS keys for email addresses for and just encode
the data using CERTs.

Note ":" + base32hexnp(sha1(utf8(local))) would be sufficient without
the _openpgpkey label to seperate namespaces. (':' could be replaced
with any non LDH character)  Reserve all strings which match that
format for the new mbox format.

base32hexnp = base32hex with no padding as used in NSEC3.

Mark


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email