Re: [dane] draft-ietf-dane-smime

Jakob Schlyter <jakob@kirei.se> Thu, 16 October 2014 15:18 UTC

Return-Path: <jakob@kirei.se>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD3C71A1BF3 for <dane@ietfa.amsl.com>; Thu, 16 Oct 2014 08:18:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.361
X-Spam-Level:
X-Spam-Status: No, score=-1.361 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OHso_8NI_clU for <dane@ietfa.amsl.com>; Thu, 16 Oct 2014 08:18:03 -0700 (PDT)
Received: from spg.kirei.se (spg.kirei.se [IPv6:2001:67c:394:15::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F8511A1BF2 for <dane@ietf.org>; Thu, 16 Oct 2014 08:18:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kirei.se; s=spg20100524; h=received:content-type:mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to:x-mailer; bh=ZwRLvn9IzDVg1fOOlLcODSr/PtF8REwXtWf+dPTF5ZA=; b=nTgBGi65jgNCW8BPG2M+Ah6decVr1qZxcuzhGUx8JArb4l1TMw89y+oJymvzw+465pPHtI9qinua2 j33STfjJ+qKB/qmUtCvODqJovlZDz3pp0Zyz8/TRG0e+T0X6gHBqZyD3rmfP+g+OOvpBfug54buRUC O068z7pRFN/zJ9kc=
Received: from mail.kirei.se (unknown [91.206.174.10]) by spg-relay.kirei.se (Halon Mail Gateway) with ESMTPS; Thu, 16 Oct 2014 17:17:51 +0200 (CEST)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Jakob Schlyter <jakob@kirei.se>
In-Reply-To: <E507FC56-947B-4A93-AA81-F0507D2FBC69@ogud.com>
Date: Thu, 16 Oct 2014 17:17:49 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <62F1DB86-59B4-4165-9AEE-82A829B6A9A9@kirei.se>
References: <273F9612-13AF-4CB8-B15C-912AAD04C738@verisign.com> <CF875C06-E4DA-4DCA-A722-5FDEE04B3069@vpnc.org> <67BDE5B6-58C7-4E0B-8CB4-045E51027D85@ieca.com> <E507FC56-947B-4A93-AA81-F0507D2FBC69@ogud.com>
To: =?windows-1252?Q?=D3lafur_Gu=F0mundsson?= <ogud@ogud.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/v-UGBt2BLKaXXNlnmHpzq-nVt7E
Cc: draft-ietf-dane-smime@tools.ietf.org, "<dane@ietf.org>" <dane@ietf.org>
Subject: Re: [dane] draft-ietf-dane-smime
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Oct 2014 15:18:07 -0000

On 16 okt 2014, at 16:58, Olafur Gudmundsson <ogud@ogud.com> wrote:

> If  X@Y sends S/MIME signed message to  DANE WG on January 20’th 2016. 
> X@Y leaves Y on Feb 15’th 2016. 
> 
> Is there any value in being able to validate the signature when a document editor gets around to read the message March 15 2016 while updating the document referenced in the email to meet the ID deadline for IETF-95  ? 

You basically want to know if certificate C was valid at time T. A CRL might tell you when a certificate was revoked, whereas OCSP does not. Neither of the proposals discussed in this group so far would help you with that either.

Paul and I advocate that SMIMEA will only tell you if a given certificate is valid in real time (or in the proximity of). Others say an explicit revoked flag would be useful.

I believe your question is interesting, but I suspect it is out of scope for this group. If a given certificate is not valid, you can always go back to a CRL (if one exists) and find out when it was revoked.


	jakob