Re: [dane] FYI: New Version Notification for draft-hoffman-dane-smime-04.txt

[Nicholas Weaver <nweaver@icsi.berkeley.edu>]

On Sep 11, 2012, at 6:25 AM, Jakob Schlyter wrote:

> On 11 sep 2012, at 07:03, Jim Schaad <ietf@augustcellars.com> wrote:
> 
>> Problem #3 is almost impossible.  It would require that only end-entity
>> certificate be listed, and this would mean that either it would be directly
>> trusted or one would need to have both an EE certificate and a trust anchor
>> listed in the DNS entry.  The capitalization issue would need to be
>> addressed as in the previous paragraph, but is harder given that the sender
>> may have never seen the mailbox name for the recipient and may be guessing
>> at what the string should be if the DNS namespace is not over-populated.
> 
> I believe you somewhat exaggerating this problem. IMHO, the requirements you list are true but in no way a showstopper and I believe that publishing down-cased EE cert would be a very pragmatic and deployable way of doing this.

I think the biggest problem is the trust relationships...

DNSSEC is designed to secure communication to the owner of the domain name.  The same applies for DANE in most cases.


With SMIME, the receiving mail server (and thus the DNS infrastructure behind it) is not nearly so trusted: one point of something like SMIME is to keep Google (the mail server) from datamining the email to use against me.

Which implies that for problem #3, the solution may involve a DNSSEC signed record that includes both the SMIME certificate AND the identity of the mail account, with user's domains for the mail lookup being different from the domain (and company) handling the actual mail processing.