Re: [dane] Question regarding RFC 8162
Metin Savignano <ms@savignano.net> Mon, 19 September 2022 09:58 UTC
Return-Path: <ms@savignano.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3B6CC14CF1E for <dane@ietfa.amsl.com>; Mon, 19 Sep 2022 02:58:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0IK3L6mI0Vb1 for <dane@ietfa.amsl.com>; Mon, 19 Sep 2022 02:58:39 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52250C14F74B for <dane@ietf.org>; Mon, 19 Sep 2022 02:58:38 -0700 (PDT)
Received: from smtpclient.apple ([62.54.177.99]) by mrelayeu.kundenserver.de (mreue011 [213.165.67.97]) with ESMTPSA (Nemesis) id 1MDhQt-1oTJ0A2tDr-00AoXI; Mon, 19 Sep 2022 11:58:33 +0200
From: Metin Savignano <ms@savignano.net>
Message-Id: <2ED3C271-7590-4B7F-B948-BF911AFF74AC@savignano.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A0E2A719-7741-4E9E-93E1-1A3519B2CB74"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Mon, 19 Sep 2022 11:58:31 +0200
In-Reply-To: <MN2PR05MB69433EC12366ACA794A42897D3499@MN2PR05MB6943.namprd05.prod.outlook.com>
Cc: "dane@ietf.org" <dane@ietf.org>
To: Tawhidul Islam <tislam20@gmu.edu>
References: <7B212BFE-F674-46AA-86E8-FEF77D909536@savignano.net> <1CD1C43B-6080-4C58-BF9F-E085CA97FD43@osterweil.net> <B526F1E6-74A8-4731-86ED-597BFF34DB25@savignano.net> <MN2PR05MB69433EC12366ACA794A42897D3499@MN2PR05MB6943.namprd05.prod.outlook.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
X-Provags-ID: V03:K1:GZsAeRVLgTWhdmYNYlXBCAylnqgWfejQa4+ZsZ7f1loOW85/KqU oo7gpa8guKmDyXJYrSvKZnVL1yijfSvNqngFSyVfdUWh8KeWGO4enQsC2ir0e+yYvWv5Mhd fALNatbmY/gP1BDhXWUuxwgs4A+2moOjCgzE4F9yA8y6izrCFboBwDMGjZFR6E6k+dK0bp3 EBw2jIi3dDKiLC+/vt/lw==
X-UI-Out-Filterresults: notjunk:1;V03:K0:/B5NIXKymh4=:oHNfsbq5pHES0kt+zHaVGi +6nHp+f2AAgMrB8lexnlbX/EU8D8kZVrDY3Uc7XSI52rCkK1Qc2P+sfCWECrTaXd4KxndALce saYi9lX3dT5VpzLP4bSf9/kJudmRsdBbxHGCiWMHbSMBqRKuKjlW+7gN0w+wGwqkpggLozpM3 whoyykikbQ5Wxp5qyd/FoTVDLCWlC3jqci95DGvswJqWwIPb/URVlJbMwvo/eu9EKSx3a1BJF Etw2zfvngvKmE6MMCwf5mqUOuAhK7p8htmA0mlUj1+ReOYJtCgYp7fqKzaQ/lfEB2zxqv/P6U c1EyQ++r6kNphZM71r/3Z9BT/htc7bWALNlgqk6LVPXFIBeVWCy7RjyqPx1zyCyJo/JfKBd2e 69gg8OnNc5E2ebvi6vVijQ2EN1VxCmLgZBzXoyiNYMKx2t7YvGW4dP7lYPvsNZIMm6S5iuueC tbjLWsZzitsw0BM/nDoXAOSqzsxlFabaedgWNQfggL4XIHZzxUkxufj+UmW7Mo5Acvht5ZYmx xsvm4hcm6RjN7buyPMMcouBLNm23kuE5PTwjrvw4fGv9gJXuArz0XshDllh2UF2gAaOtOOZSv e08oGjbFwUcwmEz+Y37KauO4DJ9UNsYmCh6gHwFXpoba736p/FKm0ba/LQohQLKWX2Sh+layz NI8S6HBTMnioRxIjjsQZeYys0itP20e7S2NP3bA0l65CLrQd3pdvBccCMOdfQMoTr+on2bbXQ Els63/OYFBXhlcJ/kPN/NnUvzkmywlbn+NHSNr651firSLUnsNd7tCobuR3Q187tHuMC30nNH +i/pBa/
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/uVLwMgAg817SqCk1L-Ca6QIIh6g>
Subject: Re: [dane] Question regarding RFC 8162
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Sep 2022 09:58:45 -0000
Hi Minar, I appreciate your response, and I hope these suggestions are going to be considered in the RFC. > I’m happy to hear you bring this up, since I also agree that we are missing an important mechanism for clients to specifically search for a signature vs encrypting cert record on DNS -- it’s unfortunate the current RFC did not address this. > > There was an older idea bounced around that we implemented for daneportal.net <http://daneportal.net/> of having dedicated meta domains for those two: > E.g. Jane Doe’s encrypting cert would be an SMIMEA record under “<hash>._encr._smimecert.example.com <http://smimecert.example.com/>”, and her 7 signature certs could all be in “<hash>._sign._smimecert.example.com <http://smimecert.example.com/>”. > For the basic RFC compliance, this is done in addition to putting a copy of all those records in the usual <hash>._smimecert zone. > Clients that are wise to that non-standard _encr/_sign domains could speed up cert resolution with that pathway, but could always fallback to the standard _smimecert domain. The cert attributes are only considered if the USAGE calls for it (PKIX-CA/EE constrained). Shouldn’t this become part of the standard? Due to the relatively large size of SMIMEA records (if they hold the full certificate), I think it should be avoided to generate unnecessary traffic. If separate certificates are used for encrypting and signing, then it may desirable to transfer only the one that is needed. On the other the MUA will probably need both sooner or later, so perhaps it’s not so much of real world problem as I was thinking. I guess I understand that your approach is a bit different than our scenario. Our original idea was that it should be possible to retrieve a company’s own root certificate from the DNS, so to verify any S/MIME certificate that has been issued by it. This idea implies that the S/MIME certificate itself has already been received by the MUA in a signed email and only needs to be verified. Your approach seems to go a step further by trying to enable the MUA to send an encrypted email to some other user of whom it does not have received a certificate at all yet, right? I think both scenarios are absolutely valid and should be considered by this RFC. Metin
- [dane] Question regarding RFC 8162 Metin Savignano
- Re: [dane] Question regarding RFC 8162 Viktor Dukhovni
- Re: [dane] Question regarding RFC 8162 Eric Osterweil
- Re: [dane] Question regarding RFC 8162 Metin Savignano
- Re: [dane] Question regarding RFC 8162 Metin Savignano
- Re: [dane] Question regarding RFC 8162 Tawhidul Islam
- Re: [dane] Question regarding RFC 8162 Metin Savignano