IETF Logo Mail Archive

Re: [dane] Review of draft-ietf-dane-smime-15

worley@ariadne.com (Dale R. Worley) Tue, 28 February 2017 20:33 UTC

Return-Path: <worley@alum.mit.edu>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD0FB1296D7 for <dane@ietfa.amsl.com>; Tue, 28 Feb 2017 12:33:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.934
X-Spam-Level:
X-Spam-Status: No, score=-1.934 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aGGcV4qwFRRT for <dane@ietfa.amsl.com>; Tue, 28 Feb 2017 12:33:48 -0800 (PST)
Received: from resqmta-po-05v.sys.comcast.net (resqmta-po-05v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E77D1296D6 for <dane@ietf.org>; Tue, 28 Feb 2017 12:33:48 -0800 (PST)
Received: from resomta-po-14v.sys.comcast.net ([96.114.154.238]) by resqmta-po-05v.sys.comcast.net with SMTP id ioR3clNY9y20uioSwceipr; Tue, 28 Feb 2017 20:33:46 +0000
Received: from hobgoblin.ariadne.com ([IPv6:2601:192:4603:9471:222:fbff:fe91:d396]) by resomta-po-14v.sys.comcast.net with SMTP id ioStcATmlBKYlioSucYtyh; Tue, 28 Feb 2017 20:33:45 +0000
Received: from hobgoblin.ariadne.com (hobgoblin.ariadne.com [127.0.0.1]) by hobgoblin.ariadne.com (8.14.7/8.14.7) with ESMTP id v1SKXhnq010454; Tue, 28 Feb 2017 15:33:43 -0500
Received: (from worley@localhost) by hobgoblin.ariadne.com (8.14.7/8.14.7/Submit) id v1SKXghb010451; Tue, 28 Feb 2017 15:33:42 -0500
X-Authentication-Warning: hobgoblin.ariadne.com: worley set sender to worley@alum.mit.edu using -f
From: worley@ariadne.com
To: Paul Wouters <paul@nohats.ca>
In-Reply-To: <alpine.LRH.2.20.1702271412001.23426@bofh.nohats.ca> (paul@nohats.ca)
Sender: worley@ariadne.com
Date: Tue, 28 Feb 2017 15:33:42 -0500
Message-ID: <87r32ijbrt.fsf@hobgoblin.ariadne.com>
X-CMAE-Envelope: MS4wfEiDJWThwBXJnBSSjWxTABaorMi0S8bt98FNrjMSs6zkkIh0uxIMDbVYmOC1mC4qn4cl4hd6sD9HiAUTyesinFG4UPpYXSZt1RsnrSWdwifqcymqog2h 90+KdWBC5Ty+tTIfkhuTm33c6qT7e8orhT36uzpM6xGX0csLRYgLtRYh2U/HKRaSsxXFHAHCzrugzQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/YGQfE6yuSzbCSaIi1trw6kipikA>
Cc: dane@ietf.org
Subject: Re: [dane] Review of draft-ietf-dane-smime-15
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2017 20:33:49 -0000

Paul Wouters <paul@nohats.ca> writes:
> Regular processing rules for CNAME and DNAME apply - I don't think it
> requires additional text.

OK, I've used CNAME records but wasn't that familiar with the
specifications.  After reading in the RFCs, it looks like resolvers are
requied to follow CNAME and DNAME records, so those are invisible at the
application level.

>> 2. Presumably it was deliberate not to have the first label for an
>> SNAMEA record be the canonical UTF-8 string for the local-part, even
>> though the DNS architecture (RFC 1035) seems to admit binary labels.
>
> Yes, you can find 100+ messages in the archive or you can listen to
> a few hours of heated debate at some of the previous DANE IETF
> meetings. (So heated in fact, that I'm not even comfortable giving
> you a 1 line summary)

"Here be dragons."

Well enough.  Actually, I thought about this issue some more, and that
led to my followup e-mail.  I think there is a real desire to not have
the DNS provide a direct catalog of valid e-mail addresses, but it
conflicts with the weak security of non-salted hashes.  As I said in
that e-mail, I think this could be improved by providing a hash in a DNS
record, which would mean that hashes would be well-justified as
providing substantially more privacy/security than direct UTF-8 (or
base64 or anything reversible).

>> 3. Presumably it was deliberate to hash using SHA2-256 truncated to
>> 224
>> bits rather than use SHA-224.
>
> Yes, the Microsoft crypto api lacks support for SHA-224. We did want
> the shorter length so SHA256 truncated was chosen.

That makes sense.

>> 4. Is it worth suggesting that some mechanism might be devised for
>> annotating an e-mail message with the canonical form of the sender's
>> local-part that is intended to be used to authenticate the message?
>
> The SMTP people raised strong objections about interpreting anything
> as this is forbidden by the SMTP specifications. You will also find
> dozens of messags and recordings of meetings in the archive that lead
> to the current compromise text (which was also used in OPENPGPKEY, RFC-7929)

"Here be dragons."

Though I was thinking of a message header, not a feature of SMTP.  But
no doubt people will start experimenting with that anyway.

Dale

v2.23.0 | Report a Bug | By Email