Re: [openpgp] [dane] Storing public keys in DNS… or LDAP

Phillip Hallam-Baker <> Tue, 06 August 2013 18:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AD34D21E8091; Tue, 6 Aug 2013 11:51:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.385
X-Spam-Status: No, score=-2.385 tagged_above=-999 required=5 tests=[AWL=-0.086, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id C-a737wUiaIN; Tue, 6 Aug 2013 11:51:42 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c00::232]) by (Postfix) with ESMTP id A4B2621E809B; Tue, 6 Aug 2013 11:51:27 -0700 (PDT)
Received: by with SMTP id m15so698220wgh.5 for <multiple recipients>; Tue, 06 Aug 2013 11:51:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=CkRYxJsK7c7e3XmMiOGOcD3QagIW3iN7Emn9Si4p0pw=; b=ZRfqFxGVJsb6tgJ23Kwq559h+JtvVAPLRJ+W+maGMYzZ0LatwMsq70RoomX2h3fAcI ZQlcz4EzXxpXp1HFyZxhmlmfyWEhSCW7k8qDFPqprkJnPaFbv/MDxhUWSHCs7iyL2hbv r8xzUIqWjmnR45IX/FGUtwqTSH2Vu/hIeygNZG4WjmAnRO9+/k1emhkb2QFSzCV28bPc KUKisMrnS5bjM/66Jy6Y3sixEimH029y66cDR3OE51wyxqAaaDwKzxHkFSJqmEJKCCdr WOkzW09SzQRCh8gnp7W+aX0apWxf3PVgS1JQ/FwW+OG4rp2LtdkgDdgMKQ7fwN0EtUEX TA5w==
MIME-Version: 1.0
X-Received: by with SMTP id wq6mr1993818wjc.94.1375815083770; Tue, 06 Aug 2013 11:51:23 -0700 (PDT)
Received: by with HTTP; Tue, 6 Aug 2013 11:51:23 -0700 (PDT)
In-Reply-To: <>
References: <> <>
Date: Tue, 6 Aug 2013 14:51:23 -0400
Message-ID: <>
From: Phillip Hallam-Baker <>
To: "Rick van Rein (OpenFortress)" <>
Content-Type: multipart/alternative; boundary=089e0141a1fc584bc904e34be980
X-Mailman-Approved-At: Tue, 06 Aug 2013 14:03:56 -0700
Cc:, "" <>
Subject: Re: [openpgp] =?windows-1252?q?=5Bdane=5D_Storing_public_keys_in_DNS?= =?windows-1252?q?=85_or_LDAP?=
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 Aug 2013 18:51:43 -0000

Sounds like you are proposing this.

For what it is worth, I agree that using the DNS to store per-user data is
not a good approach. The DNS administration model is that it makes
assertions about network names and not individual users. Previous attempts
to put end users in the DNS have uniformly met with failure.

But that does not mean that LDAP is a useful tool. LDAP has tons of
complexity and none of it does the slightest bit of good.

While writing my RFC tool I thought about writing a spec for an Internet
bibliography service that would convert labels [RFC4386] to XML documents
describing the reference.

Then after a fairly short amount of work I realized that I could do
everything I wanted using HTTP and some simple regular expression pattern
matching. And the regexp stuff was only necessary because I wanted to reuse
the existing libraries of references at

So if you want to do per client records my suggestion would be

1) Use HTTP as the query language transport.

2) Put some form of pointer to the service in the DNS.

3) Use DNSSEC to secure the binding

It might well be that (2) is a case where NAPTR would be a good solution.
Or it might not.

On Fri, Jul 26, 2013 at 10:19 AM, Rick van Rein (OpenFortress) <>; wrote:

> Hello Paul Wouters,
> I came across your work on storing public key credentials of users in the
> DNS:
> * draft-wouters-dane-openpgp-00
> * draft-wouters-dane-otrfp-00
> As I am currently trying to achieve similar, secure end-to-end exchanges
> of public key material for secure communication, this is very interesting.
>  Thanks for the work!
> When I read them, I found that you made a choice that we deliberately
> abandoned as unpractical, so I thought it good to share our thoughts.  The
> background of our work is with which we
> aim to get more end user and technical facilities incorporated into hosting
> packages.  Doing this, we are rather keen on privacy and security, as you
> are in your drafts.
> We decided against the sort of options in DNS that you are describing
> because we felt that the DNS is not meant for storing individual user
> credentials.  One reason for this opinion is that DNS is ultimately treated
> public data, and no DNS admin will accept responsibility for "leaking"
> information through DNS, whereas most users will not want that kind of
> treatment with their electronically addressable contact channels.  Another
> reason is that DNS management is usually considered too sensitive to update
> for end user changes; which is why it is often in the hands of another
> (class of) operator.
> We are embarking in another direction, and thought this might also be
> useful for you, also because it can be used without RFC work.  Instead of
>  using DNS for user data, we are looking at LDAP (with DANE to secure it).
>  It is a very suitable mechanism for retrieval of end-user descriptive
> information, ranging from postalAddress to pgpKey descriptions.  It also
> has a well-established notion of a Global Directory that is based on
> DNS-names derived from dc=,dc= trailers to distinguishedNames, and SRV
> record lookups of LDAP service under such domains.  Given an email address,
> the username part can then be sought with (uid=…) filtering, and PGP keys
> and such can be located under that node.  I am not aware of any XMPP
> profile for LDAP, but that is as straightforward to define as it has been
> for OpenPGP, SSH and even SRP.  It is probably easier to get such an LDAP
> attribute spec standardised as an RFC or even just a XEP than your proposed
> use of DNS.
> The searchable structured data in LDAP can have privacy issues when used
> as a public-facing service when published without restraint; we are
> resolving that with a filtering practice (for which we are developing
> software) that can filter out considered-private attributes (or objects)
> unless their attribute values are explicitly mentioned in a query.  So,
> searching for (uid=rick) under dc=openfortress,dc=nl would deliver my
> account record with email address and SIP phone number as well as being a
> parent for key material, but searching for (uid=*) would not deliver this
> if I configured LDAP to treat uid as too private to publish in that case.
>  Another reason not to publish LDAP is that it is often used for data about
> local infra; this can be solved by separating in-house and public directory
> services.
> If you want to know more about this work, you can visit this site with the
> work in progress:
> Specifically note how, for OpenPGP, there is a solution that already works
> with PGP tools -- they will perform that LDAP queries to per-domain LDAP
> service. I detailed it on the subpage
> I hope this is helpful!
> Cheers,
> Rick van Rein
> OpenFortress
> +31.53.4782239
> _______________________________________________
> dane mailing list