Re: [dane] draft-ietf-dane-smime

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 20 October 2014 16:09 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7F7A1A0A6A for <dane@ietfa.amsl.com>; Mon, 20 Oct 2014 09:09:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JklsJc9SpPSF for <dane@ietfa.amsl.com>; Mon, 20 Oct 2014 09:09:52 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DC141A0360 for <dane@ietf.org>; Mon, 20 Oct 2014 09:08:40 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 458262AB2B5; Mon, 20 Oct 2014 16:08:33 +0000 (UTC)
Date: Mon, 20 Oct 2014 16:08:33 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141020160832.GG19158@mournblade.imrryr.org>
References: <273F9612-13AF-4CB8-B15C-912AAD04C738@verisign.com> <CF875C06-E4DA-4DCA-A722-5FDEE04B3069@vpnc.org> <67BDE5B6-58C7-4E0B-8CB4-045E51027D85@ieca.com> <E507FC56-947B-4A93-AA81-F0507D2FBC69@ogud.com> <62F1DB86-59B4-4165-9AEE-82A829B6A9A9@kirei.se> <20141017150448.GV20066@mournblade.imrryr.org> <B4AE1805-22D9-4E63-A18C-1EEC55C1C2E3@verisign.com> <CDE423BF-1418-4714-BF9C-44FAF5502643@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CDE423BF-1418-4714-BF9C-44FAF5502643@vpnc.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/jQMx-MsCtx77uWD4H7cRbYhrE1c
Subject: Re: [dane] draft-ietf-dane-smime
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 16:09:57 -0000

On Mon, Oct 20, 2014 at 09:01:56AM -0700, Paul Hoffman wrote:

> > Maybe it's also possible there was some misunderstanding from
> > the protracted email discussion?  The revocation discussion (IIRC)
> > really had to do with an assertion that TLS did not have revocation
> > needs.
> 
> Did anyone assert that? If so, please point it out. People asserted that revocation happens rarely for TLS certificates.

I've been known to say that with DANE TLSA, explicit revocation is
superseded by publishing an updated TLSA record.  Don't know whether
that was ever in the context the revocation discussion in question.

Of course that only applies to situations in which DANE is always
used.  DANE is of no help when the verifier is using "traditional"
PKI.

-- 
	Viktor.