Re: [dane] I-D Action: draft-ietf-dane-smime-04.txt

"Dickson, Brian" <bdickson@verisign.com> Thu, 09 January 2014 17:08 UTC

Return-Path: <bdickson@verisign.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAC981ADF96 for <dane@ietfa.amsl.com>; Thu, 9 Jan 2014 09:08:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I2r8x2SDMwYr for <dane@ietfa.amsl.com>; Thu, 9 Jan 2014 09:08:40 -0800 (PST)
Received: from exprod6og121.obsmtp.com (exprod6og121.obsmtp.com [64.18.1.237]) by ietfa.amsl.com (Postfix) with ESMTP id C5A2B1ADFB7 for <dane@ietf.org>; Thu, 9 Jan 2014 09:08:39 -0800 (PST)
Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob121.postini.com ([64.18.5.12]) with SMTP ID DSNKUs7Xjgx0tkyNbi45XLDcyuxG7O6e5qjW@postini.com; Thu, 09 Jan 2014 09:08:31 PST
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01.vcorp.ad.vrsn.com [10.173.152.205]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id s09H8Ttn019829 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 9 Jan 2014 12:08:29 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.02.0342.003; Thu, 9 Jan 2014 12:08:29 -0500
From: "Dickson, Brian" <bdickson@verisign.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, "dane@ietf.org list" <dane@ietf.org>
Thread-Topic: [dane] I-D Action: draft-ietf-dane-smime-04.txt
Thread-Index: AQHPDIWROXmKcpQJ/ky85WTI7CjLRZp7UK8AgAAM6YCAAUQuAA==
Date: Thu, 9 Jan 2014 17:08:28 +0000
Message-ID: <CEF43EFD.F8FB%bdickson@verisign.com>
In-Reply-To: <89AE05E1-BC6C-46BA-A4CC-A8F29070096D@vpnc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.5.130515
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <0E619CE2443F9943A863FA9F9F550C1F@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [dane] I-D Action: draft-ietf-dane-smime-04.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2014 17:08:43 -0000

On 1/8/14 11:48 AM, "Paul Hoffman" <paul.hoffman@vpnc.org> wrote:

>On Jan 8, 2014, at 8:01 AM, Viktor Dukhovni <viktor1dane@dukhovni.org>
>wrote:
>
>> On Wed, Jan 08, 2014 at 07:23:21AM -0800, internet-drafts@ietf.org
>>wrote:
>> 
>>> 	Filename        : draft-ietf-dane-smime-04.txt
>> 
>> Given the use of base32 encoding, and explicit non-support for
>> names that encode to more than 63 bytes of base32 text


[snip, include all useful context ;-)]

>Yes it does. It also puts a burden on the application to use our new
>"base32ish" encoding instead of the base32 encoding they already have. In
>order to save five bytes.
>
>> Finally is the word "prohibited" appropriate in the new text:
>> 
>>       Also note that user names can be any length, and labels are
>>       limited to 63 octets.  Also note that user names that are
>>       encoded with Base32 are longer than the original user name.
>>       Any user name that would cause a label of longer than 63
>>       octets is expressly prohibited by this specification.
>> 
>> I would think "unsupported" or "incompatible" would be closer,
>> since such local parts remain valid, even though there are incompatible
>> with SMIMEA.
>
>You are right: we'll change to "incompatible" in the next draft.

Let's see if I understand the purpose of the original proposal (base32
encoding of local-part/"local part"), the limitations, and the
counter-proposals.

These are for deterministically putting something into DNS, and for
deterministically finding the thing that was put into DNS.
The RHS is the interesting thing (e.g. smime stuff), and the LHS just has
to be deterministic, right?

The input can be either non-international (arbitrary length ASCII
characters, bytes with first bit 0) or international (arbitrary length
strings of UTF8). Even adding a distinguisher between the two input sets,
at best would only optimize fixed-upper-limit functions (7 onto 5 or 8
onto 5 encoding schemes with 63 character max).

So instead of "encoding" per se, what about using a hash function?

It does not have to automatically be an existing hash function, although
re-use of the NSEC3 code might be reasonable.

All that matters is that the probability of hash collisions is very very
low, and perhaps the addition of some collision-mitigation would help.

LDH = 26 alpha + 10 digit + hyphen = 37 characters
37^63 is a big big number (about 100 decimal digits starting with "6").

It means on average the lhs is longer, but in practical terms removes the
upper limit on the encoding (since the hash function has no upper limit on
input).

We're talking about stuff that hasn't yet been developed, right, so a
major shift in LHS stuff is no biggie?

Brian