IETF Logo Mail Archive

Re: [dane] Question regarding RFC 8162

Metin Savignano <ms@savignano.net> Sat, 10 September 2022 11:13 UTC

Return-Path: <ms@savignano.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06CEFC14F6EB for <dane@ietfa.amsl.com>; Sat, 10 Sep 2022 04:13:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IcJgDD4VyGk8 for <dane@ietfa.amsl.com>; Sat, 10 Sep 2022 04:12:57 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.131]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66882C14F607 for <dane@ietf.org>; Sat, 10 Sep 2022 04:12:57 -0700 (PDT)
Received: from smtpclient.apple ([77.12.87.24]) by mrelayeu.kundenserver.de (mreue012 [213.165.67.97]) with ESMTPSA (Nemesis) id 1M7v18-1oT6nM0bpa-004xWj; Sat, 10 Sep 2022 13:12:54 +0200
From: Metin Savignano <ms@savignano.net>
Message-Id: <F91449B1-82C3-4735-A692-0C850681009A@savignano.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_08FD275C-DF32-43D3-AC06-9D94ADA386EF"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Sat, 10 Sep 2022 13:12:50 +0200
In-Reply-To: <1CD1C43B-6080-4C58-BF9F-E085CA97FD43@osterweil.net>
Cc: dane@ietf.org
To: Eric Osterweil <lists@osterweil.net>
References: <7B212BFE-F674-46AA-86E8-FEF77D909536@savignano.net> <1CD1C43B-6080-4C58-BF9F-E085CA97FD43@osterweil.net>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
X-Provags-ID: V03:K1:oIJI53wl0AnjUW36ueR312lOtN2CNwLQxiG27kVlrVkym6tRSGd 25Cp7Bs4IZwm9A8jKHXr04S/yns0t3XprqlxcAAsNhXj65rmp7uV4xHt3zwXaTkVpn4ZMlI rEq4JP9NZesx5fLEAYN6XPtoXIOtHiS9rscCXmCmVKqX6U9UNbVXjAGfusZ/TeL9vpgYcDL wlFYA+hgsr+TBkEKovy6A==
X-UI-Out-Filterresults: notjunk:1;V03:K0:W8gd+sWVHPs=:NK5Lyu+/evye88xIyU+S5A LP11qbhJutfxf6Q3EzxC9TAZlCbPS7k3Zi0xQpNVq5ltzaCY/i+NA07kGHoKlTKKySMKNutPB dkZ6CsqBNhjjbCoar+BuR6x9/jVNztgZDJXjD6HbRwSLz+r1pFr5r3wHLZ/rBaSWncJEdoKvO eYlyf5Rq9C7iBI/ABSpLhPBFm9IS0SVtmLxtfwZtGjm4XXg3Mq+dq0r/Nsu8E3t0za6UJ4EJW Z8RUeVM5FxxwXwQayUp+7gMqikF2WwVexV4vM0PippXMhhd7xQbjk2En5SH4nSA9o9MapI/z7 NTQnXBx0CjMK29SgSYu/WtkowZzO2hrBTjvNsiLyp1uf3yUaIZPrW9bK5F8R3ql4mMUX/qU4S pkXPnwkg+u1t25PIkGK78k1O5oipW8LO5JN7E6LEPdA2VzCWH3xhSJtj8JWMcV28Rb1voOLJ0 bQ+1I9qXe0Md6vZ0MLI0cA+90+rcT1reRgjq+RJkK5IHdMhn4dHsb3uEzcFa1HPTGTZYWMxSF +uR9jlxysY6NTeckc0tKDoadALGEbwobFdb6+WrOexeS9+V3z28z3vObqI1fIcMfe1aLrOKBr iRVOIRcIlmt0ch9Q1sggVXGynaV3UvS3c4wV6W1eZ5BGEktx+vv2zn4l1Sl7lb1A/50qf4BCT FKVhp8ptd48A0054RrbEu2nvsfMufqqudGXjqvl3dqttZ3nlw+8vDrUG2PoustuK2hKkZc1Bh x5xKJFjyLZjgTsxoct4mc961wlugKUhJ0taYdPyQA4NMEJLZI0I06wCRtT7n3d3+hJIdsXNBa cqAAL5l
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/tLoa8iJ0u1AvRUzEoyEPad25jQY>
Subject: Re: [dane] Question regarding RFC 8162
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Sep 2022 11:13:03 -0000

Thank you very much for your quick reply!

> I think it’s great that you’re looking this!  To answer your specific question, I understand that different people have differing levels of interest in signing vs. encryption (vs. both) for email.  I recall a number of us had discussions about how you could place a root certificate at a wildcard at the mail domain’s APEX, so querying any lhs under that domain would return an SMIMEA record that could be usage type 0 or 2 (PKIX_TA or DANE_TA).  I think that would accomplish your goal of not needed to key every user.
> 
> So, for user_1@example.edu <mailto:user_1@example.edu> through user_n@example.edu <mailto:user_n@example.edu> , you would hit *.example.edu <http://example.edu/> SMIMEA, which would return the root cert.  Does that make sense?

Yes, that absolutely makes sense. However, I wonder if that is intended use, and if so, I suggest that it should absolutely be mentioned in the RFC. 


> Just as some context: we, in my lab, are looking into SMIMEA as well and we’ve launched a pilot of an open provisioning infrastructure for managing per-user complexities, MUA add-ons that use DANE for S/MIME, and an open reference implementation of several DANE protocols (DANEportal.net <http://daneportal.net/> ,  kurer.daneportal.net <http://kurer.daneportal.net/> , and libCanute, respectively).  Our goals seem a little different than yours, but would be happy to see if they can help you out.  We presented at the last IEPG, and the students are (I believe) on this list and can respond if you have any other thought!

Looks very interesting, and I appreciate any exchange of ideas and concepts. I welcome anything that could help to simplify S/MIME encryption for end users!

Let's stay in touch. 

Thankls
Metin

v2.23.0 | Report a Bug | By Email