Re: [dane] S/MIME draft
"Rose, Scott" <scott.rose@nist.gov> Tue, 26 August 2014 17:50 UTC
Return-Path: <scott.rose@nist.gov>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A01DB1A00AD for <dane@ietfa.amsl.com>; Tue, 26 Aug 2014 10:50:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SZ7uEuwgJPuX for <dane@ietfa.amsl.com>; Tue, 26 Aug 2014 10:50:32 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0237.outbound.protection.outlook.com [207.46.163.237]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EA671A0010 for <dane@ietf.org>; Tue, 26 Aug 2014 10:50:32 -0700 (PDT)
Received: from BLUPR09MB117.namprd09.prod.outlook.com (10.255.213.14) by BLUPR09MB119.namprd09.prod.outlook.com (10.255.213.147) with Microsoft SMTP Server (TLS) id 15.0.1015.19; Tue, 26 Aug 2014 17:50:30 +0000
Received: from BLUPR09MB117.namprd09.prod.outlook.com ([10.255.213.14]) by BLUPR09MB117.namprd09.prod.outlook.com ([10.255.213.14]) with mapi id 15.00.1015.018; Tue, 26 Aug 2014 17:50:30 +0000
From: "Rose, Scott" <scott.rose@nist.gov>
To: Paul Wouters <paul@nohats.ca>
Thread-Topic: [dane] S/MIME draft
Thread-Index: AQHPwTzSp2zLy/0IwEiIGXszYmLFzpvjAIoAgAApbQA=
Date: Tue, 26 Aug 2014 17:50:30 +0000
Message-ID: <699D1F51-00F3-4DD4-9D62-2307DC3B4582@nist.gov>
References: <CE2072BD-39C8-42FE-B08D-7930667D5DEC@verisign.com> <alpine.LFD.2.10.1408261110540.28003@bofh.nohats.ca>
In-Reply-To: <alpine.LFD.2.10.1408261110540.28003@bofh.nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [129.6.140.6]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;UriScan:;
x-forefront-prvs: 03152A99FF
x-forefront-antispam-report: SFV:NSPM; SFS:(6009001)(199003)(51704005)(189002)(24454002)(377454003)(85306004)(105586002)(36756003)(107046002)(106116001)(21056001)(64706001)(101416001)(80022001)(66066001)(50986999)(106356001)(31966008)(76176999)(54356999)(99286002)(33656002)(74502001)(95666004)(74662001)(110136001)(20776003)(19580405001)(87936001)(19580395003)(81342001)(99396002)(4396001)(81542001)(86362001)(92566001)(92726001)(46102001)(90102001)(76482001)(83716003)(77982001)(15975445006)(82746002)(2656002)(85852003)(83072002)(79102001)(15202345003)(83322001)(104396001); DIR:OUT; SFP:; SCL:1; SRVR:BLUPR09MB119; H:BLUPR09MB117.namprd09.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; A:1; MX:3; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-ID: <548528201E983742AB8FB2C9C84E2510@namprd09.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/iAxaIbGnYIlm4oqg5OGf1H0ggdo
Cc: dane WG list <dane@ietf.org>
Subject: Re: [dane] S/MIME draft
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 17:50:34 -0000
On Aug 26, 2014, at 11:22 AM, Paul Wouters <paul@nohats.ca> wrote: > On Tue, 26 Aug 2014, Osterweil, Eric wrote: > >> Some time ago we had some discussions about draft-ietf-dane-smime, which led to >> https://www.ietf.org/mail-archive/web/dane/current/msg06338.html >> A few of us felt that it might be productive to outline a set of requirements that we foresee DANE facing in enterprises environments (w.r.t. encrypted/signed email). To that end, we put together the draft: >> ``Enterprise Requirements for Secure Email Key Management'' >> http://tools.ietf.org/html/draft-osterweil-dane-ent-email-reqs-00 > > I'm not an smime person at all and I'm a little confused about what the > document is trying to do. It talks about "key management requirements", > and then suggests specific requirements for a "protocol"? > > Which protocol? I would think this would be very much in the realm of > local policies. If something is missing in the smime-dane draft for > "enterprise deployment", does that mean the smime-dane draft itself is > incomplete? Could you send PaulH and Jakob text to ensure it can support > enterprise roll-out? If it is complete, then your document should only list the > requirements on HOW to use it, instead of defining a new future protocol? > Noted - the requirements are for capabilities, so maybe "protocol" is a bad choice of words. This draft is to start to flesh out requirements and get the discussion going with the goal to improve the SMIMEA draft, or other drafts. > > REQ-16 Encryption keys MUST be discoverable separately from > signature keys. Possible means includes (but not limited to) > naming conventions, sub-typing or unique RR types for each > use > > Intuition: Not all certificates for a user may be needed > for all circumstances. Fetching them separately can be a > management, a scaling, or even a security concern. > > This requirement for example is impossible with the current smime-dane draft? And > sub-typing these days is frowned upon. > Just listing the options, even bad ones. :) The main reason for being able to differentiate between signing and encrypting keys is the size issue, but also reduce the risk of a client encrypting an email with a receiver's signing key by mistake. Enterprises may have the encrypting key stored at the receiving MTA, but not the signing key. Scott > I'm not sure how fetching the keys for encryption and signing separately > would be a security concern? That seems a little uhm, far fetched :) > If it is in public DNS, anyone can do it. If it is in private DNS, I'd > say it is already secured? > > Paul > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane =================================== Scott Rose NIST scott.rose@nist.gov +1 301-975-8439 Google Voice: +1 571-249-3671 http://www.dnsops.gov/ ===================================
- [dane] S/MIME draft Osterweil, Eric
- Re: [dane] S/MIME draft Paul Wouters
- Re: [dane] S/MIME draft Paul Hoffman
- Re: [dane] S/MIME draft Paul Wouters
- Re: [dane] S/MIME draft Osterweil, Eric
- Re: [dane] S/MIME draft Rose, Scott
- Re: [dane] S/MIME draft Rose, Scott
- Re: [dane] S/MIME draft Osterweil, Eric