Re: [dane] email canonicalization for SMIMEA owner names

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 12 December 2014 01:37 UTC

Date: Fri, 12 Dec 2014 01:36:56 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141212013656.GT25666@mournblade.imrryr.org>
References: <95826148-4F06-4942-87A4-2F6601BA0F90@nist.gov> <20141211221456.GI3448@localhost> <20141211235519.GO25666@mournblade.imrryr.org> <20141212000953.B0FE5254EAE8@rock.dv.isc.org> <20141212003130.GQ25666@mournblade.imrryr.org> <20141212004131.09FDB254F4F4@rock.dv.isc.org> <20141212005550.GR25666@mournblade.imrryr.org> <20141212010007.2F78C254FBF3@rock.dv.isc.org> <CAF4kx8cXQYmfQ-3FVN64GFK_3mc0xt6ZYAXo9_NdFx0n1B+RXA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAF4kx8cXQYmfQ-3FVN64GFK_3mc0xt6ZYAXo9_NdFx0n1B+RXA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/UCt_GYDW33aqTe25v6B7EI7pFNk
Subject: Re: [dane] email canonicalization for SMIMEA owner names
Precedence: list
Reply-To: dane@ietf.org

On Thu, Dec 11, 2014 at 05:22:03PM -0800, Ian Fette (????????) wrote:

> Sorry, just reading the SMIMEA stuff for the first time, so apologies for
> the basic question, but do I really have to publish a record for each
> address? How would I say "this is a trusted intermediate CA for *@gmail.com
> "?

That would look like so:

    ;; insert CNAMEs for any desired indirection when
    ;; the same set of SMIMEA RRs handles multiple domains
    ;;
    *._smimecert.gmail.com IN SMIMEA 2 0 1 <blob>

Keep in mind that this only supports signature verification, not
encryption, one can't encrypt to an intermediate CA, one needs the
leaf public key for that.  So enabling encryption on first contact
requires publishing per-user keys by some means.

Otherwise all one gets is authenticated key exchange, possibly
followed later by encryption once leaf keys have been exchanged in
both directions.

-- 
	Viktor.

Re: [dane] email canonicalization for SMIMEA owne… Nico Williams
[dane] email canonicalization for SMIMEA owner na… Rose, Scott W.
Re: [dane] email canonicalization for SMIMEA owne… Ian Fette (イアンフェッティ)
Re: [dane] email canonicalization for SMIMEA owne… Viktor Dukhovni
Re: [dane] email canonicalization for SMIMEA owne… Nico Williams
Re: [dane] email canonicalization for SMIMEA owne… Christian Rößner
Re: [dane] email canonicalization for SMIMEA owne… John Levine
Re: [dane] email canonicalization for SMIMEA owne… John Levine
Re: [dane] email canonicalization for SMIMEA owne… Viktor Dukhovni
Re: [dane] email canonicalization for SMIMEA owne… Mark Andrews
Re: [dane] email canonicalization for SMIMEA owne… Viktor Dukhovni
Re: [dane] email canonicalization for SMIMEA owne… Mark Andrews
Re: [dane] email canonicalization for SMIMEA owne… Viktor Dukhovni
Re: [dane] email canonicalization for SMIMEA owne… Mark Andrews
Re: [dane] email canonicalization for SMIMEA owne… Ian Fette (イアンフェッティ)
Re: [dane] email canonicalization for SMIMEA owne… Viktor Dukhovni
Re: [dane] email canonicalization for SMIMEA owne… Paul Wouters
Re: [dane] email canonicalization for SMIMEA owne… Paul Wouters
Re: [dane] email canonicalization for SMIMEA owne… Nico Williams
Re: [dane] email canonicalization for SMIMEA owne… Nico Williams
Re: [dane] email canonicalization for SMIMEA owne… Nico Williams
Re: [dane] email canonicalization for SMIMEA owne… John Levine
Re: [dane] email canonicalization for SMIMEA owne… Mark Andrews
Re: [dane] email canonicalization for SMIMEA owne… Nico Williams
Re: [dane] email canonicalization for SMIMEA owne… Ben Laurie
Re: [dane] email canonicalization for SMIMEA owne… Jakob Schlyter
Re: [dane] email canonicalization for SMIMEA owne… Paul Wouters
Re: [dane] email canonicalization for SMIMEA owne… Alexey Melnikov
Re: [dane] email canonicalization for SMIMEA owne… Alexey Melnikov
Re: [dane] email canonicalization for SMIMEA owne… Paul Wouters
Re: [dane] email canonicalization for SMIMEA owne… Nico Williams
Re: [dane] email canonicalization for SMIMEA owne… Ben Laurie
Re: [dane] email canonicalization for SMIMEA owne… Alexey Melnikov
Re: [dane] email canonicalization for SMIMEA owne… Viktor Dukhovni
Re: [dane] email canonicalization for SMIMEA owne… John Levine
Re: [dane] email canonicalization for SMIMEA owne… Nico Williams
Re: [dane] email canonicalization for SMIMEA owne… James Cloos
Re: [dane] email canonicalization for SMIMEA owne… Viktor Dukhovni
Re: [dane] email canonicalization for SMIMEA owne… John Levine
Re: [dane] email canonicalization for SMIMEA owne… Viktor Dukhovni
Re: [dane] email canonicalization for SMIMEA owne… James Cloos
Re: [dane] email canonicalization for SMIMEA owne… John Levine
Re: [dane] email canonicalization for SMIMEA owne… Viktor Dukhovni