IETF Logo Mail Archive

Re: [keyassure] publishing the public key

Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 19 February 2011 01:15 UTC

Return-Path: <pgut001@login01.cs.auckland.ac.nz>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 437783A6ECB for <keyassure@core3.amsl.com>; Fri, 18 Feb 2011 17:15:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q-tBdrv5JLHg for <keyassure@core3.amsl.com>; Fri, 18 Feb 2011 17:15:08 -0800 (PST)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by core3.amsl.com (Postfix) with ESMTP id AA22F3A6D9C for <keyassure@ietf.org>; Fri, 18 Feb 2011 17:15:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1298078144; x=1329614144; h=from:to:subject:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20henry.story@bblfish.net,,=20keyassure@ietf.org |Subject:=20Re:=20[keyassure]=20publishing=20the=20public =20key|Message-Id:=20<E1PqbQ7-0007aF-Cy@login01.fos.auckl and.ac.nz>|Date:=20Sat,=2019=20Feb=202011=2014:15:35=20+1 300; bh=NQlNBYBQqUeav2hn+2q9rN8JAkUHeVV2rivVICBEpDE=; b=NpAIy7WyR6tCrV5GpfArGJCv37RXvsgEbgGNPqmgwU5w0NFr/XS9Zv0E NPwa5JQiU0rvTBdvLWZAeIfcRH2i94vdlDZ7SFx7hEBlbVUciyyFYtuoL lByRGpFMAUZjZSc2ubzMQ32VgifFAIvpuaXiKALmKFd4978PYZBE06zU6 M=;
X-IronPort-AV: E=Sophos;i="4.62,190,1296990000"; d="scan'208";a="46881582"
X-Ironport-HAT: APP-SERVERS - $RELAYED
X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing
Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 19 Feb 2011 14:15:36 +1300
Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1PqbQ7-0003Wn-HZ; Sat, 19 Feb 2011 14:15:35 +1300
Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1PqbQ7-0007aF-Cy; Sat, 19 Feb 2011 14:15:35 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: henry.story@bblfish.net, keyassure@ietf.org
Message-Id: <E1PqbQ7-0007aF-Cy@login01.fos.auckland.ac.nz>
Date: Sat, 19 Feb 2011 14:15:35 +1300
Subject: Re: [keyassure] publishing the public key
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Feb 2011 01:15:10 -0000

[Several of my posts didn't make it to the list, these are re-posts of earlier
 messages]

Henry Story <henry.story@bblfish.net> writes:

>In draft-dane-04 [1] one can currently only publish either a signature or a
>certificate in the DNS. That is the only allowed formats of the resource
>record are as specified in section 2.2
>
>[...]
>
>Why not publish the only piece of the certificate that is important in public
>key cryptography: the public key.

Whatever format gets used, could we restrict things to just a single form, or
at most two forms?  At the moment we've got two types of certs, two hashes of
certs, and a raw public key (or, most likely, two of them).  In practice
there's going to be some de facto standard that everyone uses (e.g. SHA-1
hashes of certs for "fingerprints", which every browser seems to support even
though there isn't even a standard specifying them), and adding a whole pile
of formats is going to reduce interoperability or (more likely) lead to
implementors ignoring all but whatever ends up as the de facto standard.  I'd
use the cert fingerprint (which is already the de facto universal identifier)
as a MUST and leave the rest as options.  TLS already requires that you send
the full cert, TLS implementations already generate a cert fingerprint, so all
that's left to implement besides (shudder) the res_query() lookup is a
memcmp().

Peter.

v2.23.0 | Report a Bug | By Email