IETF Logo Mail Archive

Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt

"Paul Hoffman" <paul.hoffman@vpnc.org> Sat, 09 July 2016 18:46 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B40E12D1BE for <dane@ietfa.amsl.com>; Sat, 9 Jul 2016 11:46:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b5i831bWuZ-5 for <dane@ietfa.amsl.com>; Sat, 9 Jul 2016 11:46:36 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40AEE12D147 for <dane@ietf.org>; Sat, 9 Jul 2016 11:46:36 -0700 (PDT)
Received: from [10.32.60.34] (142-254-101-201.dsl.dynamic.fusionbroadband.com [142.254.101.201]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id u69IkYEE028217 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 9 Jul 2016 11:46:35 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 142-254-101-201.dsl.dynamic.fusionbroadband.com [142.254.101.201] claimed to be [10.32.60.34]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: John Levine <johnl@taugh.com>
Date: Sat, 09 Jul 2016 11:46:34 -0700
Message-ID: <D1D860E0-4F6A-4E77-8739-2FEA60371251@vpnc.org>
In-Reply-To: <20160709182428.19819.qmail@ary.lan>
References: <20160709182428.19819.qmail@ary.lan>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.4r5234)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/SVsG7S9O-XHtgyb4dqUYKQB7na0>
Cc: dane@ietf.org
Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Jul 2016 18:46:37 -0000

On 9 Jul 2016, at 11:24, John Levine wrote:

>> Any other issues should be brought forward
>
> Also, I see that there's a disclaimer about the semantics of
> the certificates, but I'm still confused.
>
> At this point, all S/MIME certificates are signed by a CA, and MUAs
> typically put ugly red marks on message with a cert with an unknown 
> CA.
>
> I gather the idea here is that the certs can be self-signed, and
> they're credible in the absence of a CA signature because the domain
> is asserting something about them via DNSSEC publication.  But it
> never says that, or anything like that.

I have not done a recent survey of MUAs with S/MIME support and 
self-signed PKIX certs, but when I did an informal survey in the past, 
most of them supported a similar interface to the browsers at the time 
with a layer of "are you really sure you want to do that" followed by 
"OK, you did that" and it worked. We have no idea how they will change 
with the introduction of DANE with SMIMEA records, but I would hope it 
would be even easier. If it turns out that none of the MUAs want that, 
that will be a really good indication of how this experiment is faring. 
(Ditto for the parallel features in OpenPGP with the new OPENPGPKEY 
record.)

--Paul Hoffman

v2.23.0 | Report a Bug | By Email