[dane] Quick question regarding DANE and S/MIME

Alice Wonder <alice@domblogger.net> Sat, 15 April 2017 16:01 UTC

Return-Path: <alice@domblogger.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id AE9C01293FF for <dane@ietfa.amsl.com>; Sat, 15 Apr 2017 09:01:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.698
X-Spam-Status: No, score=0.698 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=domblogger.net
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 25K46qOFvRSY for <dane@ietfa.amsl.com>; Sat, 15 Apr 2017 09:01:13 -0700 (PDT)
Received: from mail.domblogger.net (mail.domblogger.net [IPv6:2600:3c00::f03c:91ff:fe56:d6a2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63718127873 for <dane@ietf.org>; Sat, 15 Apr 2017 09:01:13 -0700 (PDT)
Received: from localhost.localdomain (68-189-44-253.dhcp.rdng.ca.charter.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.domblogger.net (Postfix) with ESMTPSA id 71E89D6E for <dane@ietf.org>; Sat, 15 Apr 2017 16:01:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=domblogger.net; s=default; t=1492272071; bh=OCbq7jze1j6lZdafXCHoxh/W46BSkt3aAk2CS0TaHZk=; h=To:From:Subject:Date; b=W4S4sAw/wusWohnbuY6uXQwcUX40DGpiCXuKfl9UB/4yI+tOnFTZH9XqYmbsz9vOt kMSDM0U5/T8E1ASFqg27NMfueWvuQ5Ec/D4xMMrIgVH1y1EmfRoz8frQFFhMu4ZBrF VF+K6zP+swMO9SYHgkxJS/nVQC7+1OdlNP4XLPc4=
To: IETF DANE Mailinglist <dane@ietf.org>
From: Alice Wonder <alice@domblogger.net>
Message-ID: <9bb60f83-84cb-0e26-a6ac-3e65e57ef7bb@domblogger.net>
Date: Sat, 15 Apr 2017 09:01:10 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/WKBjCfA_wZiMVSoY0BHUW5d8SnM>
Subject: [dane] Quick question regarding DANE and S/MIME
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Apr 2017 16:01:15 -0000

When using a 2 x x DANE record for S/MIME - Do I need to then include 
the intermediary (and root?) certificate with the actual user's 
certificate, or is it possible to use something like authorityInfoAccess 
when generating the cert to specify where the intermediary certificate 
that matches the DANE record resides?

Sorry for the n00b like question, I'm probably still months away from 
implementing, I have the scripts needed for the root and intermediaries 
set up, but I need to finish carefully inspecting them find a good open 
source OCSP responder because I believe that is necessary if an 
intermediary fingerprint is put in DANE record instead of a self-signed.

This does however really excite me, wish we had DANE validation of 
S/MIME when I first got into computing.

Thank you for your time,

Alice Wonder