Re: [keyassure] Bare keys again

Paul Hoffman <paul.hoffman@vpnc.org> Fri, 25 March 2011 10:12 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 492B13A6990 for <keyassure@core3.amsl.com>; Fri, 25 Mar 2011 03:12:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fg6nUNfado9U for <keyassure@core3.amsl.com>; Fri, 25 Mar 2011 03:12:55 -0700 (PDT)
Received: from hoffman.proper.com (unknown [IPv6:2001:4870:a30c:41::81]) by core3.amsl.com (Postfix) with ESMTP id 317EE3A684D for <keyassure@ietf.org>; Fri, 25 Mar 2011 03:12:55 -0700 (PDT)
Received: from [10.0.2.202] ([212.47.23.197]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p2PAEOqP044186 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 25 Mar 2011 03:14:27 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <1F4784C6-6ED2-4BA7-A2E4-A4296BFFFF4A@bblfish.net>
Date: Fri, 25 Mar 2011 06:14:23 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <188FA2C8-E5A3-4EEF-9372-04D3346A5037@vpnc.org>
References: <92D68A5E-5CB7-4C80-8D7B-0B8D55D93608@kumari.net> <alpine.LFD.1.10.1103201932370.20162@newtla.xelerance.com> <9D285351-8D73-4C15-BE2C-5DF731C08DCE@vpnc.org> <alpine.LFD.1.10.1103202028110.20162@newtla.xelerance.com> <1300669586.2117.12.camel@localhost> <alpine.LFD.1.10.1103202211390.20162@newtla.xelerance.com> <1300739370.2117.40.camel@localhost> <alpine.LFD.1.10.1103211631260.20162@newtla.xelerance.com> <AANLkTimyOXv66UeG2q2dmt1-e_Ek6WPPH-coueFc7fDS@mail.gmail.com> <AANLkTin1QjUbVFN8FqjL2SPRLSRRw4Ahs4zbhy4ZdZuX@mail.gmail.com> <alpine.LFD.1.10.1103211727150.28224@newtla.xelerance.com>, <alpine.LFD.1.10.1103230625150.18330@newtla.xelerance.com> <E6B327026515F942B2668762387B1DE303228CBD@MBX202.domain.local> <4003BE42-F5AA-4AD2-BF27-21891975F7CE@vpnc.org> <1F4784C6-6ED2-4BA7-A2E4-A4296BFFFF4A@bblfish.net>
To: Henry Story <henry.story@bblfish.net>
X-Mailer: Apple Mail (2.1084)
Cc: "keyassure@ietf.org" <keyassure@ietf.org>
Subject: Re: [keyassure] Bare keys again
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2011 10:12:56 -0000

> What was still open was why one should add bare public keys, other than for reasons of elegance and bandwidth (which could be important, tests needed) to the options specified in Dane. Those arguing against claimed it could make things very difficult for a lot of software.


"Those arguing against" had additional claims. The one I heard a few times was "there is no good reason to have bare keys in DANE if you cannot have them in TLS". That is, you can't do straight matching with a bare key because that is not a form that is allowed by TLS. If TLS is extended with a standards-track extension that adds bare keys, I would argue that TLSA should have it as well, but probably not until then.

--Paul Hoffman