Re: [dane] Comment on draft-ietf-dane-smime-12
Paul Wouters <paul@nohats.ca> Thu, 06 October 2016 20:08 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32A6912977C for <dane@ietfa.amsl.com>; Thu, 6 Oct 2016 13:08:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.996
X-Spam-Level:
X-Spam-Status: No, score=-4.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-2.996] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b-9v92qyKb73 for <dane@ietfa.amsl.com>; Thu, 6 Oct 2016 13:08:42 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C58B12970A for <dane@ietf.org>; Thu, 6 Oct 2016 13:08:42 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3sqkHW3z2lzD09; Thu, 6 Oct 2016 22:08:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1475784519; bh=hXmVLRfsUCGU9xmRj1asJa+7tsoDSh3HKL4wHX7A9T8=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=RQMf6U6etGp7Y0LCM9Fp7O34zho2PcrNoETTVDxxVFwzLQHxopspCEnfXd89gBvdT IboE8STGeoNubOr1nMo9jhCH3rXgBJ3Z0I/JzUwBEipIk3tBNpHDtgcycR4YLohUCh cqKXZJ+4aNy3f56TvjJvTF7ST7wSI+D6UDx+1QOE=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 891jsgzkj1LZ; Thu, 6 Oct 2016 22:08:38 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 6 Oct 2016 22:08:38 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 67B315C83A; Thu, 6 Oct 2016 16:08:35 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 67B315C83A
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 640B140D358A; Thu, 6 Oct 2016 16:08:35 -0400 (EDT)
Date: Thu, 06 Oct 2016 16:08:35 -0400
From: Paul Wouters <paul@nohats.ca>
To: Marcos Sanz <sanz@denic.de>
In-Reply-To: <OF3260F3E2.2BFFC454-ONC1258044.0021F733-C1258044.0023E528@notes.denic.de>
Message-ID: <alpine.LRH.2.20.1610061601270.3737@bofh.nohats.ca>
References: <OF3260F3E2.2BFFC454-ONC1258044.0021F733-C1258044.0023E528@notes.denic.de>
User-Agent: Alpine 2.20 (LRH 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/TtHa87uPKdBBZVNcm99khlv4EQU>
Cc: dane@ietf.org
Subject: Re: [dane] Comment on draft-ietf-dane-smime-12
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 20:08:43 -0000
On Thu, 6 Oct 2016, Marcos Sanz wrote: > I just got through the dane-smime document and have one ammendment to make > to section 7, specifically "applications SHOULD use TCP - not UDP". > > My impression is that that specific recommendation (and its rationale in > the next paragraph) was mimicked from the OPENPGPKEY spec, where it makes > sense because the whole armored key gets into the DNS. But since SMIMEA is > very much like TLSA, I don't see the need for that TCP preference (nor > does 7671 - check section 10.1.1). If you do not have the s/mime cert and you pull it from the DNS, it is still a pretty big blob that would not be nice to get spoofed to the wrong IP address. So I do think the same security consideration applies. For 7671, which really mostly talks about DANE use with TLS, getting the whole certificate from DNS is less likely, because the TLS handshake already provides you with the certificate. Paul
- [dane] Comment on draft-ietf-dane-smime-12 Marcos Sanz
- Re: [dane] Comment on draft-ietf-dane-smime-12 Paul Wouters