IETF Logo Mail Archive

Re: [openpgp] The DANE draft

Paul Wouters <paul@nohats.ca> Sun, 26 July 2015 08:20 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E55041A1A4B; Sun, 26 Jul 2015 01:20:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8MI1OYbM5YPg; Sun, 26 Jul 2015 01:20:58 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D7931A066C; Sun, 26 Jul 2015 01:20:58 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3mfHK35Bjmz5B6; Sun, 26 Jul 2015 10:20:55 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=R9sZZhON
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id ZpBR6utdva3x; Sun, 26 Jul 2015 10:20:53 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 26 Jul 2015 10:20:53 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id D66D580042; Sun, 26 Jul 2015 04:20:52 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1437898852; bh=89ETkdMo9o+pLPiUD2dob0GXKyJqDeFWDQeL+LFo0fU=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=R9sZZhONBouriIUginx4bZagQXuUVb72B3S7c65MywXxxDF+3C1aRN/j7jCBVhjEu 1egkXsVaGr1HbhggGYod6473qjMfnyFXA97XAVSFWMDeRUFfiy54mv8K6xUara1mhv h+rL6zU//jhFK/5QYKtjZYnS4Rly/dmjiM1F0pvM=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.1/8.15.1/Submit) with ESMTP id t6Q8KqDl030840; Sun, 26 Jul 2015 04:20:52 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Sun, 26 Jul 2015 04:20:52 -0400
From: Paul Wouters <paul@nohats.ca>
To: Phillip Hallam-Baker <phill@hallambaker.com>
In-Reply-To: <CAMm+LwhtQfUdsd0Tt8P7iLy+4UN6Sznp89emVQFt5bJeiEYAwg@mail.gmail.com>
Message-ID: <alpine.LFD.2.11.1507260410590.29300@bofh.nohats.ca>
References: <CAMm+LwhYdBLXM8Td8q8SCnzgwywRgMx3wNKeS_Q0JSN4Lh7rZQ@mail.gmail.com> <87bnf1hair.fsf@alice.fifthhorseman.net> <alpine.LFD.2.11.1507250832510.854@bofh.nohats.ca> <CAMm+LwhtQfUdsd0Tt8P7iLy+4UN6Sznp89emVQFt5bJeiEYAwg@mail.gmail.com>
User-Agent: Alpine 2.11 (LFD 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/ROA493zaVqMpG4BqAPIkCADi-rA>
Cc: IETF OpenPGP <openpgp@ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, dane WG list <dane@ietf.org>
Subject: Re: [openpgp] The DANE draft
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jul 2015 08:21:00 -0000

On Sat, 25 Jul 2015, Phillip Hallam-Baker wrote:

> On Sat, Jul 25, 2015 at 8:56 AM, Paul Wouters <paul@nohats.ca> wrote:
>
>       Answering phb and dkg:

[note I stated my answer was to both you and dkg, and I used traditional
  ">" and ">>" which your email client seems to have eaten, so it is
  unfortunate if that causes further confusion to a lot of people's email
  client when reading this response]

>       That's not how I see it. It is surely a discovery and distribution
>       system for keys. But it is not a policy publication mechanism.  The
>       draft (carefully) does not tell you what you can or cannot do with the
>       key. Some people tried to propose this (mostly for smime) by having
>       different prefixes for _encrypt or _sign, but this was not adopted.
> 
> Again, you don't seem to understand the spec. 'MUST USE TLS' is one of the purported benefits.

Which specification are you refering to? The OPENPGPKEY specification
does not say "MUST USE TLS".

> Key pinning to a specific key is another.

I assume you mean "key pinning to a specific user"? If so, the OpenPGP
RFC already binds the public key and the various key ID's. Any such
existing pinning is in the OpenPGP RFC. This draft does not modify
OpenPGP in any way whatsoever. It only provides a discovery mechanism
to find an openpgp key based on an email address.

> Those are security policy.

whether or not they are, they are not specified in this draft.

> I think those should be taken out of DANE but that hasn't happened yet as far as I am aware.

I don't even understand what you mean with "DANE" in this context. This
draft has nothing to do with the TLSA record which _does_ do further
security policy specification using Selectors and Usage types. This
draft specifically does not use Selectors or Usage types and leaves
all the openpgp key policies to the OpenPGP RFC options.

Paul

v2.23.0 | Report a Bug | By Email