IETF Logo Mail Archive

Re: [keyassure] PKIX/KIDNS validation results and draft-hoffman-keys-linkage-from-dns

Tony Finch <dot@dotat.at> Wed, 03 November 2010 17:28 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 39EF73A6885 for <keyassure@core3.amsl.com>; Wed, 3 Nov 2010 10:28:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.475
X-Spam-Level:
X-Spam-Status: No, score=-2.475 tagged_above=-999 required=5 tests=[AWL=0.124, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kd6nSzpGQHlg for <keyassure@core3.amsl.com>; Wed, 3 Nov 2010 10:28:25 -0700 (PDT)
Received: from ppsw-41.csi.cam.ac.uk (ppsw-41.csi.cam.ac.uk [131.111.8.141]) by core3.amsl.com (Postfix) with ESMTP id E3F7D3A659B for <keyassure@ietf.org>; Wed, 3 Nov 2010 10:28:24 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:54985) by ppsw-41.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.156]:25) with esmtpa (EXTERNAL:fanf2) id 1PDh8Q-0006kg-Sf (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Wed, 03 Nov 2010 17:28:30 +0000
Received: from fanf2 (helo=localhost) by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1PDh8Q-0003IP-SF (Exim 4.67) (return-path <fanf2@hermes.cam.ac.uk>); Wed, 03 Nov 2010 17:28:30 +0000
Date: Wed, 03 Nov 2010 17:28:30 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <p06240810c8f747e44b70@[10.20.30.150]>
Message-ID: <alpine.LSU.2.00.1011031723410.8553@hermes-2.csi.cam.ac.uk>
References: <286A23F7-0E2F-4F5E-906C-315DD9B325DA@princeton.edu> <p0624084ec8ef630fbae1@10.20.30.151> <4CC9E7AB.1030501@cs.tcd.ie> <p0624086dc8ef9feba340@10.20.30.151> <B6CEBA10-0198-4AB3-B6D4-E7D835FD47F1@princeton.edu> <AANLkTin-CqduBX5ibUCb0+1Lr-GXJ-KGd8YxzjUTPEO7@mail.gmail.com> <CA58B286-8F9D-423D-B9BF-91347F6FD960@Princeton.EDU> <1288462840.1977.4.camel@mattlaptop2.local> <69345A7D-4834-40E4-99C2-EDF3FC2DDEB3@Princeton.EDU> <1288469609.1977.178.camel@mattlaptop2.local> <EAC89FC3-184C-449C-AE5B-E3950578ED30@Princeton.EDU> <1288477403.1977.319.camel@mattlaptop2.local> <m3wroz6x81.fsf@jhcloos.com> <B255379A-6B1A-4E0B-AC66-EAD8F4B62040@kumari.net> <alpine.LSU.2.00.1011031546490.18926@hermes-2.csi.cam.ac.uk> <p0624080bc8f73e470aa3@[10.20.30.150]> <alpine.LSU.2.00.1011031647271.8553@hermes-2.csi.cam.ac.uk> <p06240810c8f747e44b70@[10.20.30.150]>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: keyassure@ietf.org
Subject: Re: [keyassure] PKIX/KIDNS validation results and draft-hoffman-keys-linkage-from-dns
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Nov 2010 17:28:26 -0000

On Wed, 3 Nov 2010, Paul Hoffman wrote:
>
> It is still far from clear how KIDNS will deal with SRV, so it is
> premature to say that subdomains will be a problem. If KIDNS records are
> retrieved for the name gotten from (not given to) the SRV request, there
> is no issue, is there?

Not from the RRset size point of view, but doing that is bad for
performance.

> >It implies that I should change my email address to dot@mail.dotat.at and
> >my Jabber ID to dot@jabber.dotat.at etc. etc. so that I can put their
> >certificates in the DNS.
>
> No, it does not imply that at all. The discussion of how to deal with
> end-user certificates in KIDNS has barely begun, and I doubt it will end
> with what you just said was the implication.

I'm not talking about personal certificates, I'm talking about the mail
and jabber services identified by the domain parts of the addresses.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7,
DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR
ROUGH. RAIN THEN FAIR. GOOD.

v2.23.0 | Report a Bug | By Email