Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt

Scott Rose <scottr.nist@gmail.com> Wed, 08 January 2014 20:34 UTC

Return-Path: <scottr.nist@gmail.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A936E1AE18F for <dane@ietfa.amsl.com>; Wed, 8 Jan 2014 12:34:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.633
X-Spam-Level:
X-Spam-Status: No, score=-2.633 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Y4oLPUTYnTE for <dane@ietfa.amsl.com>; Wed, 8 Jan 2014 12:34:38 -0800 (PST)
Received: from wsget1.nist.gov (wsget1.nist.gov [129.6.13.150]) by ietfa.amsl.com (Postfix) with ESMTP id 884751AE156 for <dane@ietf.org>; Wed, 8 Jan 2014 12:34:38 -0800 (PST)
Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.3.174.1; Wed, 8 Jan 2014 15:34:01 -0500
Received: from postmark.nist.gov (129.6.16.94) by WSXGHUB1.xchange.nist.gov (129.6.18.96) with Microsoft SMTP Server (TLS) id 8.3.327.1; Wed, 8 Jan 2014 15:34:27 -0500
Received: from 6-140.antd.nist.gov (6-140.antd.nist.gov [129.6.140.6]) by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id s08KYJFl029493 for <dane@ietf.org>; Wed, 8 Jan 2014 15:34:19 -0500
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Scott Rose <scottr.nist@gmail.com>
In-Reply-To: <58D91468-4295-4AEB-A5F4-3C796CBF047A@vpnc.org>
Date: Wed, 8 Jan 2014 15:34:19 -0500
Content-Transfer-Encoding: quoted-printable
Message-ID: <EC627866-DE33-40B1-A5A8-B91501CFD1EB@gmail.com>
References: <20140106212911.12960.24322.idtracker@ietfa.amsl.com> <A1C41700-578C-45C1-9A66-ACC051970F47@gmail.com> <58D91468-4295-4AEB-A5F4-3C796CBF047A@vpnc.org>
To: "dane@ietf.org list" <dane@ietf.org>
X-Mailer: Apple Mail (2.1827)
X-NIST-MailScanner-Information:
Subject: Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2014 20:34:40 -0000

On Jan 8, 2014, at 10:54 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> Thanks for the review, Scott. I didn't see it until I has pulled the lever on -04 to deal with a few of Mark's comments.
> 
I'd rather hear negative reviews of bad ideas than no reviews of good ones. 


> On Jan 8, 2014, at 6:58 AM, Scott Rose <scottr.nist@gmail.com> wrote:
> 
>> 1. naming convention to help distinguish between signing and encryption key certs (for enterprises that use separate certs for encrypting and signing).  It helps reduce the size of the SMIMEA RRset a bit, but admittedly minor compared to the size of an X.509 cert.
> 
> The slight saving of space also introduces a new, significant failure mode, namely that if the person listing the cert in the DNS gets the type wrong then the receiver can't use it. I'd say "no" on this one.

Admittedly it doesn't save much.  

> 
>> 2. a new CU value for "revoked" to indicate that this user's certificates have been revoked.  
> 
> We considered things like this for TLSA, and the WG seemed very hesitant to have the DNS be used as a second, unofficial revocation mechanism. For instance, what would it mean for the DNS to say that an S/MIME cert is revoked, but when the user pulls a fresh CRL, the cert isn't there? The best we might do is to have a signal for "go refresh your revocation view" in the DNS, but that seems like very marginal value.
> 

Our thinking was with local trust anchors where places may not keep their CRL's up to date or even make it available.  I hope it's not optimistic in thinking that new DANE uses will encourage people to keep CRL's current.


>> There are some signed/encrypted email projects rolling out now that are using CERT RR's or combinations of SRV RR's and LDAP servers.  Having something like SMIME would be an improvement, but the spec needs to be finalized.  
> 
> And Jakob and I apologize for the long lag since the earlier draft. We too would like to see this finished.
> 

Count me as a reviewer.

Scott

> --Paul Hoffman