[dane] SMIMEA prototyping

"Osterweil, Eric" <eosterweil@verisign.com> Mon, 29 September 2014 11:44 UTC

Return-Path: <eosterweil@verisign.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C99091A1A2C for <dane@ietfa.amsl.com>; Mon, 29 Sep 2014 04:44:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.302
X-Spam-Level:
X-Spam-Status: No, score=-2.302 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k3S-PBr_3bCP for <dane@ietfa.amsl.com>; Mon, 29 Sep 2014 04:44:34 -0700 (PDT)
Received: from exprod6og114.obsmtp.com (exprod6og114.obsmtp.com [64.18.1.33]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 045051A039D for <dane@ietf.org>; Mon, 29 Sep 2014 04:44:33 -0700 (PDT)
Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob114.postini.com ([64.18.5.12]) with SMTP ID DSNKVClGIV+8JwKosq9bT+3uce2AxNvQMmfF@postini.com; Mon, 29 Sep 2014 04:44:34 PDT
Received: from brn1wnexcas02.vcorp.ad.vrsn.com (brn1wnexcas02.vcorp.ad.vrsn.com [10.173.152.206]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id s8TBiWun003970 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <dane@ietf.org>; Mon, 29 Sep 2014 07:44:32 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Mon, 29 Sep 2014 07:44:32 -0400
From: "Osterweil, Eric" <eosterweil@verisign.com>
To: dane WG list <dane@ietf.org>
Thread-Topic: SMIMEA prototyping
Thread-Index: AQHP29q7Y0Wg27e53U2QPZq9K7XNoA==
Date: Mon, 29 Sep 2014 11:44:31 +0000
Message-ID: <ED6F2DCA-C3D9-4B40-A94C-AAF93C4A3882@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: multipart/signed; boundary="Apple-Mail=_0B32CCC7-3FC0-4A05-9FF2-5F74089CE7B5"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/wj0rcpirR9KGOJak6ScFLntTJAk
Subject: [dane] SMIMEA prototyping
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Sep 2014 11:44:36 -0000

Hey everyone,

A few of us at Verisign (actually, that would be Lynch Davis) have been working on a prototype for the SMIMEA draft.  We have written a general library+API, we have integrated it into Thunderbird, and have begun integrating into Mail.app.  Our plans are to publish this as open source at some point after the DANE workshop that will be taking place at ICANN 51 (where we will be demo'ing it).  We ran into numerous interesting wrinkles and made some specific design choices, but at a high level the S/MIME prototype:
- can sign
- can encrypt
- can decrypt (without writing clear text to disk)
- can verify
- and supports several features that are enabled through suggested additions.

With the foresight that zones may need to be delegated to accommodate churn and scale, some certificates may need to be selectively authenticated or deauthenticated (perhaps on a per-user basis), and the locations of certificate information may need to be managed in different places (some in the DNS, some in external locations), etc. we have made some operational choices to modify elements of the draft in our prototype.  We intend to detail these in a follow-on email.

We're hoping to show this off at the upcoming IETF too.

Eric