Re: dane-openpgp 2nd LC resolution

Warren Kumari <> Tue, 15 March 2016 03:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EF02B12D890 for <>; Mon, 14 Mar 2016 20:29:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 06bAe7wEJQ7d for <>; Mon, 14 Mar 2016 20:29:11 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 64C2E12D69C for <>; Mon, 14 Mar 2016 20:28:54 -0700 (PDT)
Received: by with SMTP id d65so5901245ywb.0 for <>; Mon, 14 Mar 2016 20:28:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aAPkHwPSFl/48H/G8mVHBnuY5bEEVuP8KOpAA7hBH9c=; b=LgTvd9xEbn4jel0G5LsnFROu0yaiCx+5uPZEuUv+Y5JbmVzDsXbp4ura+wf/PfyU25 nrWnhzx2+bu+LmWnmprfTstiLA0IxvBZYteRswyl+7hvKv0BYZyBeBei9W0S685BbZXP rUUC+OgUJUb0Yq7UO7BzwQtCWrPZYKgCk8j9vTBw6ajRjSA2M5/xOuwZf3u7yp4wMVZw l0AlE3/mjfDJB5nbYJHWs4e4VMD+7f0IMjtmearMYy+8qCL1YGxe3HkzTmSJ305uwB29 8Zcqbykj0lA94mjtg7SDbq+afuuP54LCT4EEzVsTc2OuXVvjO8m2ax7oSllwDb8+qihb yvgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aAPkHwPSFl/48H/G8mVHBnuY5bEEVuP8KOpAA7hBH9c=; b=YdWJnDetVV+euuitF248nLQ5mMedvSrF7efXbYPURdYp1Y4JwHxYzEyiV8Lu46SEhG mCHWeTm0TdazIaDpTlDSpGre0l7AY0I8nXSvOrpBD33D2rDE4tcnx7SsR3Xpv3791hA7 0x7L6mDfcfSBFIC2lDE75TjxvO4WGVl8SRJyaaafvKMHm/gGBEhjhs0FvqZ3lJRZQckD DhNsIlT6qPtJR9yBLsbai2/KL98dnssbeCp3cQNYf9I6JXdZLK+een6HDeveq8E2qpXi xxNspf6SX0f5wEel/SNdbdzV7e2eAQmjYlxM2/5nK1T0PEWD7wYf222N2I7xQFmd5rEI LDEQ==
X-Gm-Message-State: AD7BkJL22GLQSn1J/9f+SzHk0JZ1dTTrtpZtSioEVI71OHHpupRGq9Xm8b9N11g5SGbEFP+okkL/Glf+LfW7bwEq
X-Received: by with SMTP id y136mr13583454ywd.105.1458012533596; Mon, 14 Mar 2016 20:28:53 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
From: Warren Kumari <>
Date: Tue, 15 Mar 2016 03:28:43 +0000
Message-ID: <>
Subject: Re: dane-openpgp 2nd LC resolution
To: Doug Barton <>, Paul Wouters <>
Content-Type: multipart/alternative; boundary=94eb2c0762e6251601052e0dff49
Archived-At: <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Mar 2016 03:29:15 -0000

On Tue, Mar 15, 2016 at 9:44 AM Doug Barton <> wrote:

> On 03/14/2016 04:18 PM, Paul Wouters wrote:
> > Yes, you are about 1.5 years late. And your arguments are (un)fortunately
> > not new arguments. Since the archive on this draft is rather huge, I can
> > understand that you missed part of this discussion. So for completeness
> > sake, I will answer your questions again.
> Thank you for your patience in explaining your reasoning, and again, I'm
> sorry for coming late to the party. And thanks as well for confirming
> that my memory is correct ... at one time I did hear that this topic was
> going in the direction of signatures rather than certs. Unfortunate that
> I didn't follow it closer.
I just wanted to mention that we have been working on this for a long time,
and there is a definite level of frustration (and some cultural mismatches
/ cross area chalenges), and many people are tired at this point. There
have been a large number of messages on the list related to this document
(and topic), so, following it closely is a challenge.

> Regarding what you said and what your goals are, I think that we are
> pretty far apart. I will send a detailed response to your message on the
> DANE list soon. In all likelihood I will also create a new I-D with my
> ideas specified in more detail.

Yes, please do - I think it would be useful to have a better understanding
/ more detail. I should mention again that at this point many people are
tired and / or frustrated, so we will to work to overcome that.

> Perhaps what is needed is more than one
> experiment. :)

Aaaargh! What could possibly go wrong!? :-P


> In regards to the current last call, while your explanations do help to
> alleviate a few of my concerns, in large part I am still not
> enthusiastic about this version of the draft proceeding.
> In particular I think the concern about these RRs being used for DDOS
> amplification remains. There is no mechanism in place currently in any
> name server software that I am aware of to limit responses to queries in
> the manner you describe (only send answers if the query comes over TCP
> or with DNS-Cookies). Further, I don't see that happening any time soon.
> Close behind that concern, the larger IETF community (or at least some
> very vocal segments of it) have serious concerns about this type of
> opportunistic encryption happening at all, or in my case, without user
> input. They (and to some extent I) remain unconvinced that your
> assertion that this type of opportunistic encryption is always better
> than the current state. Personally, I need to think more about that, but
> at least in the early stages of an experiment in tying PGP keys to DNS
> RRs, I'm definitely opposed.
> Doug