Re: [dane] email canonicalization for SMIMEA owner names

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 12 December 2014 01:37 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 185CB1A1A2D for <dane@ietfa.amsl.com>; Thu, 11 Dec 2014 17:37:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 72RFnUuJ6bP3 for <dane@ietfa.amsl.com>; Thu, 11 Dec 2014 17:37:11 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1BDD1A9136 for <dane@ietf.org>; Thu, 11 Dec 2014 17:36:57 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 64E69282F8B; Fri, 12 Dec 2014 01:36:56 +0000 (UTC)
Date: Fri, 12 Dec 2014 01:36:56 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141212013656.GT25666@mournblade.imrryr.org>
References: <95826148-4F06-4942-87A4-2F6601BA0F90@nist.gov> <20141211221456.GI3448@localhost> <20141211235519.GO25666@mournblade.imrryr.org> <20141212000953.B0FE5254EAE8@rock.dv.isc.org> <20141212003130.GQ25666@mournblade.imrryr.org> <20141212004131.09FDB254F4F4@rock.dv.isc.org> <20141212005550.GR25666@mournblade.imrryr.org> <20141212010007.2F78C254FBF3@rock.dv.isc.org> <CAF4kx8cXQYmfQ-3FVN64GFK_3mc0xt6ZYAXo9_NdFx0n1B+RXA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAF4kx8cXQYmfQ-3FVN64GFK_3mc0xt6ZYAXo9_NdFx0n1B+RXA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/UCt_GYDW33aqTe25v6B7EI7pFNk
Subject: Re: [dane] email canonicalization for SMIMEA owner names
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Dec 2014 01:37:13 -0000

On Thu, Dec 11, 2014 at 05:22:03PM -0800, Ian Fette (????????) wrote:

> Sorry, just reading the SMIMEA stuff for the first time, so apologies for
> the basic question, but do I really have to publish a record for each
> address? How would I say "this is a trusted intermediate CA for *@gmail.com
> "?

That would look like so:

    ;; insert CNAMEs for any desired indirection when
    ;; the same set of SMIMEA RRs handles multiple domains
    ;;
    *._smimecert.gmail.com IN SMIMEA 2 0 1 <blob>

Keep in mind that this only supports signature verification, not
encryption, one can't encrypt to an intermediate CA, one needs the
leaf public key for that.  So enabling encryption on first contact
requires publishing per-user keys by some means.

Otherwise all one gets is authenticated key exchange, possibly
followed later by encryption once leaf keys have been exchanged in
both directions.

-- 
	Viktor.