Re: dane-openpgp 2nd LC resolution

Doug Barton <> Tue, 15 March 2016 01:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 471A712D65A for <>; Mon, 14 Mar 2016 18:44:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id szcm-e-LLrET for <>; Mon, 14 Mar 2016 18:44:07 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3FFEB12D559 for <>; Mon, 14 Mar 2016 18:44:07 -0700 (PDT)
Received: from [IPv6:2001:4830:1a00:8056:2caf:7cc:3d7d:de4e] (unknown [IPv6:2001:4830:1a00:8056:2caf:7cc:3d7d:de4e]) by (Postfix) with ESMTPSA id A07EE3A0BD; Tue, 15 Mar 2016 01:44:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=dkim; t=1458006246; bh=QNAXyUS2KjPPLJlSYUkvavz9FJHWR/ZFQkjjkoPntXs=; h=From:Subject:To:References:Cc:Date:In-Reply-To; b=LuBHkB7X6Uzhq2qEDkEhNMei6MW7YFtCKZX/jlsk8ON3qtM2F/j02+rbl28DZS25Y yvTpDuuO+NF+EToLRZA2MyJWQvrBdVV6N9AbV0upqA3fBI7kq+19v+wI0n8UAh9MOy XwQ1PE5AcT6/F25RItVLwdUajdYQqdo1rXkmaNTQ=
From: Doug Barton <>
Subject: Re: dane-openpgp 2nd LC resolution
To: Paul Wouters <>
References: <> <> <>
Openpgp: id=E3520E149D053533C33A67DB5CC686F11A1ABC84
Message-ID: <>
Date: Mon, 14 Mar 2016 18:44:06 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Mar 2016 01:44:09 -0000

On 03/14/2016 04:18 PM, Paul Wouters wrote:
> Yes, you are about 1.5 years late. And your arguments are (un)fortunately
> not new arguments. Since the archive on this draft is rather huge, I can
> understand that you missed part of this discussion. So for completeness
> sake, I will answer your questions again.

Thank you for your patience in explaining your reasoning, and again, I'm 
sorry for coming late to the party. And thanks as well for confirming 
that my memory is correct ... at one time I did hear that this topic was 
going in the direction of signatures rather than certs. Unfortunate that 
I didn't follow it closer.

Regarding what you said and what your goals are, I think that we are 
pretty far apart. I will send a detailed response to your message on the 
DANE list soon. In all likelihood I will also create a new I-D with my 
ideas specified in more detail. Perhaps what is needed is more than one 
experiment. :)

In regards to the current last call, while your explanations do help to 
alleviate a few of my concerns, in large part I am still not 
enthusiastic about this version of the draft proceeding.

In particular I think the concern about these RRs being used for DDOS 
amplification remains. There is no mechanism in place currently in any 
name server software that I am aware of to limit responses to queries in 
the manner you describe (only send answers if the query comes over TCP 
or with DNS-Cookies). Further, I don't see that happening any time soon.

Close behind that concern, the larger IETF community (or at least some 
very vocal segments of it) have serious concerns about this type of 
opportunistic encryption happening at all, or in my case, without user 
input. They (and to some extent I) remain unconvinced that your 
assertion that this type of opportunistic encryption is always better 
than the current state. Personally, I need to think more about that, but 
at least in the early stages of an experiment in tying PGP keys to DNS 
RRs, I'm definitely opposed.