Re: [openpgp] Fwd: New Version Notification for draft-wouters-dane-openpgp-00.txt (fwd)

Andrey Jivsov <openpgp@brainhub.org> Mon, 15 July 2013 23:20 UTC

Return-Path: <openpgp@brainhub.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12C4511E8264 for <openpgp@ietfa.amsl.com>; Mon, 15 Jul 2013 16:20:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.437
X-Spam-Level:
X-Spam-Status: No, score=-0.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W76vRVf2NtdG for <openpgp@ietfa.amsl.com>; Mon, 15 Jul 2013 16:20:23 -0700 (PDT)
Received: from qmta01.emeryville.ca.mail.comcast.net (qmta01.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:43:76:96:30:16]) by ietfa.amsl.com (Postfix) with ESMTP id 388DE11E8258 for <openpgp@ietf.org>; Mon, 15 Jul 2013 16:20:23 -0700 (PDT)
Received: from omta24.emeryville.ca.mail.comcast.net ([76.96.30.92]) by qmta01.emeryville.ca.mail.comcast.net with comcast id 0nB81m0031zF43QA1nLNgw; Mon, 15 Jul 2013 23:20:22 +0000
Received: from [127.0.0.1] ([69.181.162.123]) by omta24.emeryville.ca.mail.comcast.net with comcast id 0nLL1m00l2g33ZR8knLM1W; Mon, 15 Jul 2013 23:20:22 +0000
Message-ID: <51E482E5.5020201@brainhub.org>
Date: Mon, 15 Jul 2013 16:16:53 -0700
From: Andrey Jivsov <openpgp@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130625 Thunderbird/17.0.7
MIME-Version: 1.0
To: openpgp@ietf.org
References: <alpine.LFD.2.10.1307151832180.22103@bofh.nohats.ca>
In-Reply-To: <alpine.LFD.2.10.1307151832180.22103@bofh.nohats.ca>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1373930422; bh=Hz2521is7wXgvjQ7BbEfpS9c455DPgFG7aK9kyovTMc=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=a+fwvQuelQCCQNRr17gkobtO3TletJMY+9vCwfjLZ6CaKpA4+7shGjdhKhsvjFjQh KFe9cJuSPZBl03274lUdtikvP2TFB1ErkAty8OFv1kG4X63pSYJkr/9T9xLRZ1iCjw ETSd6Hzx/Ks2QmsRHrM0PhtpWwJ2lv/C8i9R4aJuAD8Q+OK+YrmEPeKYxJlBlnt0sC dMrtARzSDjmUIVdaxX1qXcW1xaNw6f5uu20Ug7BdFaXyMRysss2iU9PcZ1GvDkO5AW c69xZfkHBcrpcSaz5onmLS0sMFf8hIjPoqtfc1L6zCrz10Q4tm7dOE0N7kDcYGuRoV m7/k8IfyfM4cg==
Cc: Paul Wouters <paul@nohats.ca>
Subject: Re: [openpgp] Fwd: New Version Notification for draft-wouters-dane-openpgp-00.txt (fwd)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2013 23:20:31 -0000

A few quick comments follow.

1.
> Currently deployed key servers have no method of validating any
>    uploaded OpenPGP public key.  The key servers simply store and
>    publish.  Anyone can add public keys with any name or email address
>    and anyone can add signatures to any other public key using forged
>    malicious identities.  For example, bogus keys of prominent
>    dissidents have been uploaded to these well-known key servers in
>    attempts to capture encrypted email.  Furthermore, once uploaded,
>    public keys cannot be deleted.  People who did not pre-sign a key
>    revocation and who have lost access to their private key can never
>    remove their public key from these key servers.

This ignores prior work in this area. https://keyserver.pgp.com is known 
to solve exactly the problems you described for many years now.

2. Given that the size of the record is very important when stored in 
DNS records, it's odd to see that ECC OpenPGP keys are not even 
mentioned. In fact, given that we are talking about a new format here, 
one can see many benefits of standardizing *only* on ECC keys or at 
least preferring/encouraging ECC keys.

I think you raise a valid concern that keys placed in DNS records should 
be "cleaned". A 4096 bit RSA key with 10 subkeys and 3d party signatures 
seems excessive.

I planned to introduce the compact key format 
http://tools.ietf.org/html/draft-jivsov-ecc-compact soon to OpenPGP. 
This might be a mandatory tweak to further minimize the size for ECC 
keys when stored in DNS records.

3. I suspect that "4.6. Subject: line encryption" is prone to bugs for 
complex messages with multiple MIME parts. It probably needs more work 
to be acceptable.

On 07/15/2013 03:32 PM, Paul Wouters wrote:
>
> I've submitted a draft to associate an PGP public key with an email
> address using DANE.
>
> Paul
>
>
>
> A new version of I-D, draft-wouters-dane-openpgp-00.txt
> has been successfully submitted by Paul Wouters and posted to the
> IETF repository.
>
> Filename:     draft-wouters-dane-openpgp
> Revision:     00
> Title:         Using DANE to Associate OpenPGP public keys with email
> addresses
> Creation date:     2013-07-15
> Group:         Individual Submission
> Number of pages: 11
> URL:
> http://www.ietf.org/internet-drafts/draft-wouters-dane-openpgp-00.txt
> Status:          http://datatracker.ietf.org/doc/draft-wouters-dane-openpgp
> Htmlized:        http://tools.ietf.org/html/draft-wouters-dane-openpgp-00
>
>
> Abstract:
>     OpenPGP is a message format for email (and file) encryption, that
>     lacks a standarized secure lookup mechanism to obtain OpenPGP public
>     keys.  This document specifies a standarized method for securely
>     publishing and locating OpenPGP public keys in DNS using a new
>     OPENPGPKEY DNS Resource Record.
>
>
>
>
> The IETF Secretariat
...