Re: dane-openpgp 2nd LC resolution

Doug Barton <> Mon, 14 March 2016 20:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BDF3912D69C for <>; Mon, 14 Mar 2016 13:18:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GkQsd5lxqVKW for <>; Mon, 14 Mar 2016 13:18:37 -0700 (PDT)
Received: from ( [IPv6:2607:f2f8:ab14::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A501012D583 for <>; Mon, 14 Mar 2016 13:18:34 -0700 (PDT)
Received: from [IPv6:2001:4830:1a00:8056:2caf:7cc:3d7d:de4e] (unknown [IPv6:2001:4830:1a00:8056:2caf:7cc:3d7d:de4e]) by (Postfix) with ESMTPSA id 2C35C3A0BD for <>; Mon, 14 Mar 2016 20:18:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=dkim; t=1457986714; bh=mA555J85qBj+dGs9H8HrmZId3TB+i8wdi+OTC+eTPjY=; h=Subject:To:References:From:Date:In-Reply-To; b=njc4fMreJ44JjExAloiRWaq5wMIqniP9JpkB/esIdSpaQhTcR80ktmlj6O1S4JcMP eZOj8s3j5qXnGjeeTwHiBdFEvh+GFITzMzEdT0t0huXUfGkTYh+KN1v/NuGlAUuXgG v53r1MO7dWcvS1sszVYgrGWEbopbvPOLiiL/MMUo=
Subject: Re: dane-openpgp 2nd LC resolution
References: <20160313171101.3215.qmail@ary.lan> <> <> <> <>
From: Doug Barton <>
Openpgp: id=E3520E149D053533C33A67DB5CC686F11A1ABC84
Message-ID: <>
Date: Mon, 14 Mar 2016 13:18:33 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Mar 2016 20:18:44 -0000

On 03/14/2016 08:18 AM, John C Klensin wrote:
> However, consider a different case.  Assume I have a message,
> whose content I consider sensitive, that I need to transmit to a
> party I know but with whom I have not corresponded by email
> before (and, therefore, Doug's "replying to message" case does
> not apply).   Now I don't need to send that by email.  I may
> have the post, fax, assorted courier services, reading it on the
> phone (PSTN or VoIP), transmission it by IM or text message, and
> other methods available to me.

In this scenario the PGP community has long (and I mean, for 20 years or 
so) advised to ring the person and confirm their key fingerprint (and by 
extension preferred e-mail address) over the phone. I don't see any 
reason why the existence of a DNS mechanism would change that advice.

> [1] As an aside, if I've got a trusted way to obtain that
> fingerprint without using the DNS, I most likely have another
> way to obtain the key so I don't need this I-D and protocol.
> When that argument is reversed, some of the advantages of Doug's
> suggestion (somewhat similar to that of others, earlier) to put
> fingerprint (and maybe other) information in the DNS rather than
> the key itself become obvious.  But, if we are really committed
> to letting a thousand experiments bloom, that is not relevant.