Re: [dane] draft-ietf-dane-smime

Viktor Dukhovni <> Sat, 01 November 2014 23:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5E6501A1BA4 for <>; Sat, 1 Nov 2014 16:33:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_31=0.6] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ntWoKBPjYmUu for <>; Sat, 1 Nov 2014 16:33:24 -0700 (PDT)
Received: from ( []) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B37CE1A1B9E for <>; Sat, 1 Nov 2014 16:33:24 -0700 (PDT)
Received: by (Postfix, from userid 1034) id BE3552AAD9C; Sat, 1 Nov 2014 23:33:22 +0000 (UTC)
Date: Sat, 01 Nov 2014 23:33:22 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [dane] draft-ietf-dane-smime
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 01 Nov 2014 23:33:26 -0000

On Sat, Nov 01, 2014 at 08:38:44PM +0000, Osterweil, Eric wrote:

> > Which certificate is being invalidated? Why is this needed?  What's
> > wrong with publishing a "3 1 1" association with an impossible key?
> Thanks for sending this note!  The idea here is to say, ``this
> specific key (which an RP may or may not have used before) is not
> to be used for this inbox, at this time.''  An impossible key just
> means _that_ key can?t be used.  This idea isn?t trying to disable
> an email inbox, just ensure that a key that may pass (or may have
> passed, once upon a time) other verification is unambiguously
> de-authorized.

Well, in *that* case the association data MUST be the leaf digest!
At least that would comport much better with the other DANE usages,
and allow selective "revocation" of one or more records.

However, it seems to me that *any* record which does not match the
current SMIME RR is implicitly invalid to valid new messages.  What
purpose does "reject" serve?

> > Once this field is not "NO", what is the meaning of the associated
> > data field carried with such a record?  Is it still providing a
> > valid DANE association?
> Yeah, I would say so.  I think this is the case most akin to the TLSA model.  I would say:
> 0 == use TLSA-style DANE
> 1 == look for info from a service that is described by NAPTR
> 2 == Look for info served from a WebFinger service.

What is the meaning of the associated *DATA* field?  Why should
this be an SMIMEA record.  I think this is misuse of that record.

> I don?t understand this comment, but I think it stems from a miscommunication above.  This field would be used to say, ``look over there for the cert.??  If the cert info is encoded in SMIMEA, or its retrieval is outside of the DANE scope (i.e., the cert is included in an email message), then this field is left as 0 (not used).
> Does that make more sense?

No.  The alternate sources can be published and the application
can look there if it sees fit.