IETF Logo Mail Archive

Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey: objection about keyring format documentation

Jon Callas <joncallas@icloud.com> Mon, 09 March 2015 02:59 UTC

Return-Path: <joncallas@icloud.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94E021A0419 for <dane@ietfa.amsl.com>; Sun, 8 Mar 2015 19:59:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h_zsuxrvbar0 for <dane@ietfa.amsl.com>; Sun, 8 Mar 2015 19:58:59 -0700 (PDT)
Received: from st11p01mm-asmtp002.mac.com (st11p01mm-asmtp002.mac.com [17.172.204.237]) (using TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F318B1A0104 for <dane@ietf.org>; Sun, 8 Mar 2015 19:58:58 -0700 (PDT)
Received: from [10.0.23.34] (media.merrymeet.com [173.164.244.98]) by st11p01mm-asmtp002.mac.com (Oracle Communications Messaging Server 7.0.5.35.0 64bit (built Dec 4 2014)) with ESMTPSA id <0NKX006FJCA8TO00@st11p01mm-asmtp002.mac.com> for dane@ietf.org; Mon, 09 Mar 2015 02:58:58 +0000 (GMT)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68,1.0.33,0.0.0000 definitions=2015-03-09_01:2015-03-06,2015-03-08,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1412110000 definitions=main-1503090032
Content-type: text/plain; charset="utf-8"
MIME-version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Jon Callas <joncallas@icloud.com>
In-reply-to: <8CB4E1AD-35C6-4A92-97ED-CC2853C2896C@vpnc.org>
Date: Sun, 08 Mar 2015 19:58:55 -0700
Content-transfer-encoding: quoted-printable
Message-id: <8BFE8BFB-2F40-46C8-8FA4-A1BC5D9C3847@icloud.com>
References: <CAHw9_iJPuG23Aok7V_wcAMirua_DPDLHy01tnd+DaUqEeK3NZA@mail.gmail.com> <54EF3A7D.6070809@redhat.com> <8CB4E1AD-35C6-4A92-97ED-CC2853C2896C@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/WP7H95Pn-G-WQT0b-9_apHTWKIQ>
X-Mailman-Approved-At: Mon, 09 Mar 2015 00:30:28 -0700
Cc: Jon Callas <joncallas@icloud.com>, dane WG list <dane@ietf.org>
Subject: Re: [dane] Start of WGLC for draft-ietf-dane-openpgpkey: objection about keyring format documentation
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 02:59:00 -0000

> On Mar 8, 2015, at 6:04 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> 
> I fully agree on this. In fact, I think I brought the lack of interop up during the discussion leading up to RFC 2440, and was told that it was too late to change. (To be fair, we used the "too late to change" phrase a lot leading up to the spec for S/MIME v2. Ah, those carefree '90s.)

To be fair here — back in the carefree '90s, we were *forbidden* from being a "PKI" because there already was one, and it was PKIX.

Despite that, if you look at section 3.6 of RFC 4880, you will see in its entirety:

3.6.  Keyrings

   A keyring is a collection of one or more keys in a file or database.
   Traditionally, a keyring is simply a sequential list of keys, but may
   be any suitable database.  It is beyond the scope of this standard to
   discuss the details of keyrings or other databases.

The second sentence of that, "...a keyring is simply a sequential list of keys..." is in fact the *exact* definition of a keyring. The sentence adverb in that sentence, "Traditionally," is the weasel word that satisfies the requirement not to be a PKI. If you add in the last sentence of the paragraph, it seals the deal.

All you need else to do is to follow the SHOULD in the Trust Packet section (5.10) and of course interpret a "local" signature as well, local.

Poof, you’re done.

	Jon

v2.23.0 | Report a Bug | By Email