[dane] Quick question regarding DANE and S/MIME
Alice Wonder <alice@domblogger.net> Sat, 15 April 2017 16:01 UTC
Return-Path: <alice@domblogger.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE9C01293FF for <dane@ietfa.amsl.com>; Sat, 15 Apr 2017 09:01:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.698
X-Spam-Level:
X-Spam-Status: No, score=0.698 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=domblogger.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25K46qOFvRSY for <dane@ietfa.amsl.com>; Sat, 15 Apr 2017 09:01:13 -0700 (PDT)
Received: from mail.domblogger.net (mail.domblogger.net [IPv6:2600:3c00::f03c:91ff:fe56:d6a2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63718127873 for <dane@ietf.org>; Sat, 15 Apr 2017 09:01:13 -0700 (PDT)
Received: from localhost.localdomain (68-189-44-253.dhcp.rdng.ca.charter.com [68.189.44.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.domblogger.net (Postfix) with ESMTPSA id 71E89D6E for <dane@ietf.org>; Sat, 15 Apr 2017 16:01:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=domblogger.net; s=default; t=1492272071; bh=OCbq7jze1j6lZdafXCHoxh/W46BSkt3aAk2CS0TaHZk=; h=To:From:Subject:Date; b=W4S4sAw/wusWohnbuY6uXQwcUX40DGpiCXuKfl9UB/4yI+tOnFTZH9XqYmbsz9vOt kMSDM0U5/T8E1ASFqg27NMfueWvuQ5Ec/D4xMMrIgVH1y1EmfRoz8frQFFhMu4ZBrF VF+K6zP+swMO9SYHgkxJS/nVQC7+1OdlNP4XLPc4=
To: IETF DANE Mailinglist <dane@ietf.org>
From: Alice Wonder <alice@domblogger.net>
Message-ID: <9bb60f83-84cb-0e26-a6ac-3e65e57ef7bb@domblogger.net>
Date: Sat, 15 Apr 2017 09:01:10 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/WKBjCfA_wZiMVSoY0BHUW5d8SnM>
Subject: [dane] Quick question regarding DANE and S/MIME
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Apr 2017 16:01:15 -0000
When using a 2 x x DANE record for S/MIME - Do I need to then include the intermediary (and root?) certificate with the actual user's certificate, or is it possible to use something like authorityInfoAccess when generating the cert to specify where the intermediary certificate that matches the DANE record resides? -- Sorry for the n00b like question, I'm probably still months away from implementing, I have the scripts needed for the root and intermediaries set up, but I need to finish carefully inspecting them find a good open source OCSP responder because I believe that is necessary if an intermediary fingerprint is put in DANE record instead of a self-signed. This does however really excite me, wish we had DANE validation of S/MIME when I first got into computing. Thank you for your time, Alice Wonder
- Re: [dane] Quick question regarding DANE and S/MI… Viktor Dukhovni
- [dane] Quick question regarding DANE and S/MIME Alice Wonder