IETF Logo Mail Archive

Re: [keyassure] publishing the public key

Paul Wouters <paul@xelerance.com> Mon, 14 February 2011 14:19 UTC

Return-Path: <paul@xelerance.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0E5913A6D52 for <keyassure@core3.amsl.com>; Mon, 14 Feb 2011 06:19:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pw7RCxPgGUbX for <keyassure@core3.amsl.com>; Mon, 14 Feb 2011 06:19:12 -0800 (PST)
Received: from newtla.xelerance.com (newtla.xelerance.com [193.110.157.143]) by core3.amsl.com (Postfix) with ESMTP id 3EF693A6D4A for <keyassure@ietf.org>; Mon, 14 Feb 2011 06:19:11 -0800 (PST)
Received: from tla.xelerance.com (tla.xelerance.com [193.110.157.130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by newtla.xelerance.com (Postfix) with ESMTP id 190C3C57C; Mon, 14 Feb 2011 09:19:33 -0500 (EST)
Date: Mon, 14 Feb 2011 09:19:32 -0500
From: Paul Wouters <paul@xelerance.com>
To: Henry Story <henry.story@bblfish.net>
In-Reply-To: <928BE494-C59D-4FFF-9390-C459A4BC2107@bblfish.net>
Message-ID: <alpine.LFD.1.10.1102140915530.3131@newtla.xelerance.com>
References: <928BE494-C59D-4FFF-9390-C459A4BC2107@bblfish.net>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: keyassure@ietf.org
Subject: Re: [keyassure] publishing the public key
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Feb 2011 14:19:13 -0000

On Mon, 14 Feb 2011, Henry Story wrote:

>  In draft-dane-04 [1] one can currently only publish either a signature or a certificate in the DNS. That is the only allowed formats of the resource record are as specified in section 2.2
>
>  1 -- Hash of an end-entity certificate
>  2 -- Full end-entity certificate in DER encoding
>  3 -- Hash of an certification authority's certificate
>  4 -- Full certification authority's certificate in DER encoding
>
> Why not publish the only piece of the certificate that is important in public key cryptography: the public key. ( This is what WebID does currently ) This should be shorter than the certificate, and though it will be longer than the signature, it will be a lot more useful, tying the publisher much less to a particular serialisation format. So you reduce the PGP/X509 disagreements.

Yes. This was asked by others including me as well. People thought it would be no
problem to add this to dane once a bare public key TLS method exists.

>   An important question is of course: how much bandwidth does one save?

Bandwidth does not really matter. What matters is latency (less round trips) and a riddance of ASN.1
parsing.

If you want to help writing a bare public key TLS variant, please contact me.

Paul

v2.23.0 | Report a Bug | By Email