Re: [dane] Question regarding RFC 8162
Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 09 September 2022 14:13 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2743C152586 for <dane@ietfa.amsl.com>; Fri, 9 Sep 2022 07:13:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0y-Mg-A7l474 for <dane@ietfa.amsl.com>; Fri, 9 Sep 2022 07:13:03 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89C69C152581 for <dane@ietf.org>; Fri, 9 Sep 2022 07:13:03 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id E049510A2E3; Fri, 9 Sep 2022 10:13:01 -0400 (EDT)
Date: Fri, 09 Sep 2022 10:13:01 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <YxtJ7Tq+qeahQY+M@straasha.imrryr.org>
Reply-To: dane@ietf.org
References: <7B212BFE-F674-46AA-86E8-FEF77D909536@savignano.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <7B212BFE-F674-46AA-86E8-FEF77D909536@savignano.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/WBa5lC9WIZSp2t08DDbq8rzUd4I>
Subject: Re: [dane] Question regarding RFC 8162
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2022 14:13:05 -0000
On Fri, Sep 09, 2022 at 03:41:39PM +0200, Metin Savignano wrote: > We’re a team working on an email encryption app. I am always a looking > for better ways to simplify the use of S/MIME, because I believe that > the current PKI is the main reason for people not to use S/MIME. I believe this misses much deeper reasons why S/MIME and PGP are not in common use: * Even with key distribution solved, once S/MIME or PGP email is delivered, it is basically unusable with today's email client software and storage architecture. - Encrypted messages are not indexed and cannot be effectively searched. - Encrypted messages are not re-encrypted for long-term storage under managed storage keys, independent of the "short-term" recipient keys. - Signature verification at time of receipt is not securely recorded along with the message. Messages look invalid when signer keys later expire. - If E2E key discovery becomes broadly available, spam and malware defence at the gateway becomes problematic. - Which probably means that E2E encrypted email can't be as permissionless (and therefore as ubiquitous) as mainstream email (ideally with hop-by-hop encrypted transport). The architecture for managing permitted senders of E2E-encrypted email is not in place, and in any case limits its use-cases. Poor *usability* of already delivered E2E-encrypted email is a much more important barrier than lack of key discovery, which IMHO is mostly for lack of demand, than lack of potential ways to scalably distribute keys. > Let me explain what I’m trying to achieve: > > There are numerous companies (including my own little team) that > establish there own CA. I’m looking for a way to publish to the root > certificate of such a CA in a way that it can automatically be > retrieved and trusted by a remote mail client. It seemed like this > could be with DANE using the SMIMEA record. I would expect that I can > publish an SMIMEA record with certificate usage 0 (PKIX-TA) that would > be retrieved and used to validate the PKIX path. If you're looking for S/MIME restricted to just *signing*, this could work, but S/MIME supports encryption as a primary use-case, and for that per-recipient public keys need to be available, not just the issuing CA's. -- Viktor.
- [dane] Question regarding RFC 8162 Metin Savignano
- Re: [dane] Question regarding RFC 8162 Viktor Dukhovni
- Re: [dane] Question regarding RFC 8162 Eric Osterweil
- Re: [dane] Question regarding RFC 8162 Metin Savignano
- Re: [dane] Question regarding RFC 8162 Metin Savignano
- Re: [dane] Question regarding RFC 8162 Tawhidul Islam
- Re: [dane] Question regarding RFC 8162 Metin Savignano