IETF Logo Mail Archive

Re: [dispatch] please dispatch draft-bhjl-x509-srv-02.xml

"John R Levine" <johnl@taugh.com> Sat, 20 August 2016 17:41 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05F7512B00D for <dispatch@ietfa.amsl.com>; Sat, 20 Aug 2016 10:41:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=WXJCLAQd; dkim=pass (1536-bit key) header.d=taugh.com header.b=GRDHyRYS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cwx3j9o1XuyA for <dispatch@ietfa.amsl.com>; Sat, 20 Aug 2016 10:41:21 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76E60128874 for <dispatch@ietf.org>; Sat, 20 Aug 2016 10:41:21 -0700 (PDT)
Received: (qmail 44971 invoked from network); 20 Aug 2016 17:41:19 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=afaa.57b8963f.k1608; bh=5IH/gj/xlbpaqa4mbthcV0NdjR2IhicfltZZLIf1qBc=; b=WXJCLAQdTxcIB7HCDAGMzev/zuPz3KnEeAwGDirxLnmhNWANYVR4+X+cEqToG3UJ5ITfo1qKj55MlzwXquCYYJEbiuUq6TEBpM43ylcHa43EpFNqAhKWdBJZDy0Hq0jEHA1MCs/nOZNMDDfGvFLsJ5/zyQ7Rs26xd816ZwfRmqPL4LPArTU1btuxj+QXl7D8K3srd2aFVbQBZmO6RNOtEjbwXaMZ8msBKkIi4teflzANDCIgfDGwG3eV+mlWfYyC
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=afaa.57b8963f.k1608; bh=5IH/gj/xlbpaqa4mbthcV0NdjR2IhicfltZZLIf1qBc=; b=GRDHyRYS9WFwFWZmG9JszsMT/rjOS5v1xq3Ffq9JzVaFNw/tN/4XJTVpViIBbs0ScRw6TfDlNC2VcdIGqCZdI86qZuOOogxPzeTQPcr/sHGKToFmbX4stt2Jt3GelUod695vGfGCF1QBaHnnUG1sMxqLjbGSIFuaJC6ZgPKIsaKNSJSn8LGO1/RFywtF1OIpFc37ucfif2hwTwZrj35W5KfdPTid024S5nI1pyCY/pDgH8TYQjQGSk+xBvjZRvO1
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 20 Aug 2016 17:41:19 -0000
Date: Sat, 20 Aug 2016 13:41:19 -0400
Message-ID: <alpine.OSX.2.11.1608201324420.39279@ary.lan>
From: John R Levine <johnl@taugh.com>
To: "Cullen Jennings (fluffy)" <fluffy@cisco.com>
In-Reply-To: <922EDA7D-2269-4E9D-A72A-87327DE60410@cisco.com>
References: <alpine.OSX.2.11.1607221253020.13624@dhcp-b1bb.meeting.ietf.org> <922EDA7D-2269-4E9D-A72A-87327DE60410@cisco.com>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/khEvqQG-XnzJb5jJ7CaWTQVAj_E>
Cc: Dispatch WG <dispatch@ietf.org>
Subject: Re: [dispatch] please dispatch draft-bhjl-x509-srv-02.xml
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Aug 2016 17:41:23 -0000

> Security model ... I'm a big confused by the use of HTTPS and DNSSEC. 
> They both seem unneeded if the idea is a certificate is more or less 
> self securing and public

1The security model is deliberately vague.  Some people believe that if a 
domain publishes S/MIME certificates for its mail users, that cert is 
authoritative.  If you do, the HTTPS and DNSSEC provide a chain of trust.

If we think that publishing a signed TLSA for the S/MIME signing cert is 
adequate, we can ditch the rest of the DNSSEC, although https is best 
practice these days for anti-snooping purposes.

> The API. I'd like to see it clearly work for all types of URIs including email.

Please, no, not death by overgeneralization.  We have at least one large
mail system that wants to publish certs for its mail users.

> It also seems that perhaps a parameter that directly indicated the 
> returned type like x509, pgp, etc would be a better API design that 
> using uri vs email to indicate if it was x509 or pgp.

This is essentially a profile of RFC 5280, which has been a standards 
track RFC for eight years.  Let's not invent any more new stuff than we 
have to.

> I don't get why the Name Matching parts happens.

Because email addresses are fuzzy.  On some systems bobsmith@example and 
bob.smith@example and/or bobsmith-ext@example are equivalent, while on 
others they aren't.  (A brief review of RFC 5321 will remind us that no, 
there is no such thing as a canonical version of a mail address.)  So this 
says the cert lookup should use the same fuzz that the mail system does.

> I think what you are really talking about here designing a HTTP REST 
> based API for retrieval of certificates (and it happens to have an SRV 
> entry). That seems to be an idea worth discussing.

No, once again, it's just a profile of RFC 5280.

R's,
John

v2.23.0 | Report a Bug | By Email