Re: dane-openpgp 2nd LC resolution

Doug Barton <dougb@dougbarton.us> Mon, 14 March 2016 20:18 UTC

Return-Path: <dougb@dougbarton.us>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDF3912D69C for <ietf@ietfa.amsl.com>; Mon, 14 Mar 2016 13:18:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Level:
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dougbarton.us
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GkQsd5lxqVKW for <ietf@ietfa.amsl.com>; Mon, 14 Mar 2016 13:18:37 -0700 (PDT)
Received: from dougbarton.us (dougbarton.us [IPv6:2607:f2f8:ab14::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A501012D583 for <ietf@ietf.org>; Mon, 14 Mar 2016 13:18:34 -0700 (PDT)
Received: from [IPv6:2001:4830:1a00:8056:2caf:7cc:3d7d:de4e] (unknown [IPv6:2001:4830:1a00:8056:2caf:7cc:3d7d:de4e]) by dougbarton.us (Postfix) with ESMTPSA id 2C35C3A0BD for <ietf@ietf.org>; Mon, 14 Mar 2016 20:18:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dougbarton.us; s=dkim; t=1457986714; bh=mA555J85qBj+dGs9H8HrmZId3TB+i8wdi+OTC+eTPjY=; h=Subject:To:References:From:Date:In-Reply-To; b=njc4fMreJ44JjExAloiRWaq5wMIqniP9JpkB/esIdSpaQhTcR80ktmlj6O1S4JcMP eZOj8s3j5qXnGjeeTwHiBdFEvh+GFITzMzEdT0t0huXUfGkTYh+KN1v/NuGlAUuXgG v53r1MO7dWcvS1sszVYgrGWEbopbvPOLiiL/MMUo=
Subject: Re: dane-openpgp 2nd LC resolution
To: ietf@ietf.org
References: <20160313171101.3215.qmail@ary.lan> <F4DDCAC0-ACDF-4FD9-978E-90F4349A0420@dukhovni.org> <D82585411EE24A700558FD25@JcK-HP5.jck.com> <alpine.LFD.2.20.1603131922060.27864@bofh.nohats.ca> <2A69D7982E2992DED26AE5A6@JcK-HP8200.jck.com>
From: Doug Barton <dougb@dougbarton.us>
Openpgp: id=E3520E149D053533C33A67DB5CC686F11A1ABC84
Message-ID: <56E71C99.1000001@dougbarton.us>
Date: Mon, 14 Mar 2016 13:18:33 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <2A69D7982E2992DED26AE5A6@JcK-HP8200.jck.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/zrOC2JdkJuWme0xcavNsHdmNfBg>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2016 20:18:44 -0000

On 03/14/2016 08:18 AM, John C Klensin wrote:
> However, consider a different case.  Assume I have a message,
> whose content I consider sensitive, that I need to transmit to a
> party I know but with whom I have not corresponded by email
> before (and, therefore, Doug's "replying to message" case does
> not apply).   Now I don't need to send that by email.  I may
> have the post, fax, assorted courier services, reading it on the
> phone (PSTN or VoIP), transmission it by IM or text message, and
> other methods available to me.

In this scenario the PGP community has long (and I mean, for 20 years or 
so) advised to ring the person and confirm their key fingerprint (and by 
extension preferred e-mail address) over the phone. I don't see any 
reason why the existence of a DNS mechanism would change that advice.

> [1] As an aside, if I've got a trusted way to obtain that
> fingerprint without using the DNS, I most likely have another
> way to obtain the key so I don't need this I-D and protocol.
> When that argument is reversed, some of the advantages of Doug's
> suggestion (somewhat similar to that of others, earlier) to put
> fingerprint (and maybe other) information in the DNS rather than
> the key itself become obvious.  But, if we are really committed
> to letting a thousand experiments bloom, that is not relevant.

Thanks!

Doug