IETF Logo Mail Archive

Re: [dane] Fwd: New Version Notification for draft-osterweil-dane-ent-email-reqs-01.txt

Doug Montgomery <dougm.work@gmail.com> Sat, 29 November 2014 05:18 UTC

Return-Path: <dougm.work@gmail.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 320051A0030 for <dane@ietfa.amsl.com>; Fri, 28 Nov 2014 21:18:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b_nM1C09fIHb for <dane@ietfa.amsl.com>; Fri, 28 Nov 2014 21:18:53 -0800 (PST)
Received: from mail-lb0-x229.google.com (mail-lb0-x229.google.com [IPv6:2a00:1450:4010:c04::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AF1B1A0027 for <dane@ietf.org>; Fri, 28 Nov 2014 21:18:52 -0800 (PST)
Received: by mail-lb0-f169.google.com with SMTP id p9so6451198lbv.28 for <dane@ietf.org>; Fri, 28 Nov 2014 21:18:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=ekk/Vt+M514U1CUS+XqNYrs9OkMk9GLZNlXS2QhqHJA=; b=jhRevlNsJ2+KOtzPqJZrldqVdREcsv07Wa8p61oZ+HiYOvXWb5Mns845S5PVdAXge5 IqFuSZUWPWVHNBjPmDVHtqT/oQwYcxscN4hu59slJE5UJVTOgsFlPpAVgyXcqzUn+aIn iT7CI2ZVHLrRyXhW7/aMJyH+thvZZJcZ+GtxLHMzuZyfdr9YYsxSD8KZ6INuxfd6CSeF VlSDFzHTwCyjRO+siM+W8FP42Vgdht/vm+9fVXegxv4YTpJOl+6wJD0SVhnXd7Ehv+DR 2t1WL9pgqKVpozawg0hfWz/YIsXeQ+x1dNhh/DwTVopB1fQc2PUB7BfwDXIJmS8XvENs EsGQ==
X-Received: by 10.152.120.73 with SMTP id la9mr47184721lab.23.1417238331061; Fri, 28 Nov 2014 21:18:51 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.26.16 with HTTP; Fri, 28 Nov 2014 21:18:30 -0800 (PST)
In-Reply-To: <20141126010456.GB25114@mournblade.imrryr.org>
References: <20141126000329.7972.72323.idtracker@ietfa.amsl.com> <B81C95E2-0F2B-4E5B-B4C5-7CD25BEE6F0B@nist.gov> <20141126010456.GB25114@mournblade.imrryr.org>
From: Doug Montgomery <dougm.work@gmail.com>
Date: Sat, 29 Nov 2014 00:18:30 -0500
Message-ID: <CAMaMmnnONn21-cNjAxKyNunfWZTOTLshVXbHTn6FY71fgjGkHg@mail.gmail.com>
To: dane WG list <dane@ietf.org>
Content-Type: multipart/alternative; boundary="089e011766e548fd190508f883aa"
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/qJDsanQVQ4Q68QzAchwU565VMpw
Subject: Re: [dane] Fwd: New Version Notification for draft-osterweil-dane-ent-email-reqs-01.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Nov 2014 05:18:55 -0000

On Tue, Nov 25, 2014 at 8:04 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Wed, Nov 26, 2014 at 12:07:06AM +0000, Rose, Scott wrote:
>
> > We submitted a new version of the email-reqs draft.  This version is
> likely not perfect, but I wanted it to appear before the US Thanksgiving
> holiday so people have a chance to look at it before the interim meeting.
> >
> > Text and requirements are cleaned up a bit and added example use cases
> for non-trivial requirements.  Also added a new section of requirements
> that are not really DANE relevant, but added for completeness and just to
> have them documented somewhere.  A new DANE type is probably not the ideal
> solution for all of these requirements.
> >
> > Comments welcome, now or during/after the interim meeting,
>
> * REQ-2 seems to suggest DNAME in a context where I would generally
>   expect CNAME (linking one leaf record to another).  DNAMEs would
>   far more likely be used when all users have addresses in each of
>   two or more equivalent domains.
>
> * I think REQ-5 is a leap from the underlying desire of constraining
>   credentials to specific uses.  It states that it must be possible
>   to convey negative assertions (don't use key K for purpose P'),
>   while it may be quite sufficient to use positive assertions,
>   which have better security semantics (use K for purpose P), and
>   anything not asserted is by definition not valid.
>
>   Thus the requirement ought to be implementation neutral, and whether
>   it is implemented in positive or negative terms is an implementation
>   choice not a requirement.
>

There are two issues that need to be addressed here.

1. Some enterprise identity management systems bind encryption and signing
keys to network identities for other purposes (i.e., not specific to
email).   The requirement addressed the ability for domains to indicate
that even though you might know of such keys through other means, they are
not valid for end-to-end SMIME usage in this domain.

2. The semantics during incremental deployment, and persistent partial
deployment must be well defined.   i.e., one must be able to definitively
determine if the lack of a positive assertion is a purposeful statement of
key usage policy, or a transient condition of partial deployment.

It was not apparent to us how the absence of positive assertions could
address these requirements.

dougm
-- 
DougM at Work

v2.23.0 | Report a Bug | By Email