IETF Logo Mail Archive

[dane] Storing public keys in DNS… or LDAP

"Rick van Rein (OpenFortress)" <rick@openfortress.nl> Fri, 26 July 2013 14:19 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ADC221F9622; Fri, 26 Jul 2013 07:19:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.204
X-Spam-Level:
X-Spam-Status: No, score=-0.204 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5E91J073vyL5; Fri, 26 Jul 2013 07:18:57 -0700 (PDT)
Received: from smtp-vbr12.xs4all.nl (smtp-vbr12.xs4all.nl [194.109.24.32]) by ietfa.amsl.com (Postfix) with ESMTP id 1816621F842A; Fri, 26 Jul 2013 07:18:55 -0700 (PDT)
Received: from [10.0.1.225] (phantom.vanrein.org [83.161.146.46]) (authenticated bits=0) by smtp-vbr12.xs4all.nl (8.13.8/8.13.8) with ESMTP id r6QEIreD053957 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 26 Jul 2013 16:18:54 +0200 (CEST) (envelope-from rick@openfortress.nl)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: "Rick van Rein (OpenFortress)" <rick@openfortress.nl>
Date: Fri, 26 Jul 2013 16:19:01 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <A2FA963F-FB8F-4CEE-9001-464A128F1EAD@openfortress.nl>
References: <030F2A8C-1C25-4C91-88FD-C81AF44FA98E@openfortress.nl>
To: dane@ietf.org, openpgp@ietf.org
X-Mailer: Apple Mail (2.1508)
X-Virus-Scanned: by XS4ALL Virus Scanner
X-Mailman-Approved-At: Fri, 26 Jul 2013 07:20:26 -0700
Subject: [dane] Storing public keys in DNS… or LDAP
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jul 2013 14:19:02 -0000

Hello Paul Wouters,

I came across your work on storing public key credentials of users in the DNS:
* draft-wouters-dane-openpgp-00
* draft-wouters-dane-otrfp-00
As I am currently trying to achieve similar, secure end-to-end exchanges of public key material for secure communication, this is very interesting.  Thanks for the work!

When I read them, I found that you made a choice that we deliberately abandoned as unpractical, so I thought it good to share our thoughts.  The background of our work is http://networkeffectalliance.org/ with which we aim to get more end user and technical facilities incorporated into hosting packages.  Doing this, we are rather keen on privacy and security, as you are in your drafts.

We decided against the sort of options in DNS that you are describing because we felt that the DNS is not meant for storing individual user credentials.  One reason for this opinion is that DNS is ultimately treated public data, and no DNS admin will accept responsibility for "leaking" information through DNS, whereas most users will not want that kind of treatment with their electronically addressable contact channels.  Another reason is that DNS management is usually considered too sensitive to update for end user changes; which is why it is often in the hands of another (class of) operator.

We are embarking in another direction, and thought this might also be useful for you, also because it can be used without RFC work.  Instead of  using DNS for user data, we are looking at LDAP (with DANE to secure it).  It is a very suitable mechanism for retrieval of end-user descriptive information, ranging from postalAddress to pgpKey descriptions.  It also has a well-established notion of a Global Directory that is based on DNS-names derived from dc=,dc= trailers to distinguishedNames, and SRV record lookups of LDAP service under such domains.  Given an email address, the username part can then be sought with (uid=…) filtering, and PGP keys and such can be located under that node.  I am not aware of any XMPP profile for LDAP, but that is as straightforward to define as it has been for OpenPGP, SSH and even SRP.  It is probably easier to get such an LDAP attribute spec standardised as an RFC or even just a XEP than your proposed use of DNS.

The searchable structured data in LDAP can have privacy issues when used as a public-facing service when published without restraint; we are resolving that with a filtering practice (for which we are developing software) that can filter out considered-private attributes (or objects) unless their attribute values are explicitly mentioned in a query.  So, searching for (uid=rick) under dc=openfortress,dc=nl would deliver my account record with email address and SIP phone number as well as being a parent for key material, but searching for (uid=*) would not deliver this if I configured LDAP to treat uid as too private to publish in that case.  Another reason not to publish LDAP is that it is often used for data about local infra; this can be solved by separating in-house and public directory services.

If you want to know more about this work, you can visit this site with the work in progress: http://rickywiki.vanrein.org/doku.php?id=globaldir

Specifically note how, for OpenPGP, there is a solution that already works with PGP tools -- they will perform that LDAP queries to per-domain LDAP service. I detailed it on the subpage http://rickywiki.vanrein.org/doku.php?id=globaldir-5-openpgp


I hope this is helpful!


Cheers,

Rick van Rein
OpenFortress
+31.53.4782239
rick@openfortress.nl   (SMTP, XMPP, SIP)

v2.23.0 | Report a Bug | By Email