Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt

Paul Wouters <paul@cypherpunks.ca> Thu, 06 February 2014 03:56 UTC

Return-Path: <paul@cypherpunks.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 800001A036E for <dane@ietfa.amsl.com>; Wed, 5 Feb 2014 19:56:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZKGSjc4qqaVW for <dane@ietfa.amsl.com>; Wed, 5 Feb 2014 19:56:54 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id CD4A11A036D for <dane@ietf.org>; Wed, 5 Feb 2014 19:56:54 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id A32A780091 for <dane@ietf.org>; Wed, 5 Feb 2014 22:56:52 -0500 (EST)
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s163uqZL006026 for <dane@ietf.org>; Wed, 5 Feb 2014 22:56:52 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Wed, 5 Feb 2014 22:56:52 -0500 (EST)
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: dane WG list <dane@ietf.org>
In-Reply-To: <20140205210516.GN278@mournblade.imrryr.org>
Message-ID: <alpine.LFD.2.10.1402052254590.13653@bofh.nohats.ca>
References: <20140106212911.12960.24322.idtracker@ietfa.amsl.com> <A1C41700-578C-45C1-9A66-ACC051970F47@gmail.com> <58D91468-4295-4AEB-A5F4-3C796CBF047A@vpnc.org> <20140205210516.GN278@mournblade.imrryr.org>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Subject: Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 03:56:56 -0000

On Wed, 5 Feb 2014, Viktor Dukhovni wrote:

> I strongly support Paul's comment.  Unlike stale on-disk certificates
> held by third-parties, published DANE records (SMIMEA, TLSA, ...)
> are maintained by the subject's domain and can be presumed *current*
> when the publishing domain is not negligent.
>
> Therefore, there is no need for a fragile blacklist mechanism.
> The DANE data in DNSSEC is a comprehensive whitelist.  Every
> certificate not listed in DANE is the wrong certificate, unlike
> CRLs DANE fails closed.

+1

Any application caching DNS data beyond the TTL should either forget the
data, or prompt the user. Adding more bells and whistles in DNS to
emulate X.509 offline properties are not appropriate for DNS.

Paul