Re: [dane] draft-ietf-dane-smime

Paul Wouters <> Mon, 20 October 2014 16:11 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 1F3FF1A1B4D for <>; Mon, 20 Oct 2014 09:11:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wtXcaYhDFVDK for <>; Mon, 20 Oct 2014 09:11:07 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 265621A1B28 for <>; Mon, 20 Oct 2014 09:10:21 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id DC39780055; Mon, 20 Oct 2014 12:10:19 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1413821419; bh=tyZ4hZAoltduCJ+8+y5bnPy6ZKSax0xQuHEiPGCuAQg=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=qJPjZsfXu7X4FITdTs6FTDL+dR8uI+6zsWprDtVFXxaXFbDg9wmvgxYAR6zMytLyI pye/y50IGU7vznTJs2onlxSpS+gN0qCkcPEN3TnyZ1fgIStU7XvY2Qr+smgU/rQscz 7Ax54JuLtKpoFjQ77FF86j6ROM52DMngIxfr1O1E=
Received: from localhost (paul@localhost) by (8.14.7/8.14.7/Submit) with ESMTP id s9KGAIbu008885; Mon, 20 Oct 2014 12:10:19 -0400
X-Authentication-Warning: paul owned process doing -bs
Date: Mon, 20 Oct 2014 12:10:18 -0400
From: Paul Wouters <>
To: "Osterweil, Eric" <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <> <> <> <> <>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: "<>" <>
Subject: Re: [dane] draft-ietf-dane-smime
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Oct 2014 16:11:14 -0000

On Mon, 20 Oct 2014, Osterweil, Eric wrote:

> For what it’s worth, I think the proposed text was exactly inline with what you both are suggesting.  The suggestion was a way to help enterprises express their needs (under some circumstances) a little more cleanly in DNS.  For example, a single DANE TA could be used to authorized all of an organization’s S/MIME users, and selective ``user-no-longer-valid'' (i.e. revocation) entries could override this.  This could definitely allow for the fact that the S/MIME cert of a ``user-no-longer-valid'' employee was once valid, but not at the time of querying DNS.  As you both point out (I believe), this is different than other notions of revocation.

For email addresses that are no longer valid, we have an SMTP error
code that prevents delivery. The SMIME and OPENPGPKEY records are not
substitutes for "is a valid email user" and it would needlessly complicate
the records.