Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere

Ben Laurie <ben@links.org> Fri, 09 August 2013 15:00 UTC

Return-Path: <benlaurie@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E9FF21F99DC; Fri, 9 Aug 2013 08:00:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GofO3WCmnQDO; Fri, 9 Aug 2013 08:00:46 -0700 (PDT)
Received: from mail-qe0-x233.google.com (mail-qe0-x233.google.com [IPv6:2607:f8b0:400d:c02::233]) by ietfa.amsl.com (Postfix) with ESMTP id 1868D21E80A7; Fri, 9 Aug 2013 07:56:01 -0700 (PDT)
Received: by mail-qe0-f51.google.com with SMTP id nd7so2380111qeb.38 for <multiple recipients>; Fri, 09 Aug 2013 07:56:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=GAP2OeYJB2B1gK0MUZzpvDPFr9T5EjONvZJwayGr460=; b=dF0ExLxPvgAEH+GaP1zzmHVn7yWo0C1X7s4NRXmIBCwgbSyupZ/PIKTGBeDHtdl4zI bwXZ07sTxsDvseL9bsYFfDYc76Wceu4wNOktLc5rn0k5WMmuIvKCjlL4NyPHi/Rmr4n4 PmX5RKkz1z9qCvFMCCGGqqYRDvaWNB0czUc7G8NFBAdXiBSyAR/9UBxhIclu0trDjruV GGvizhRvoiQ6Cplqhxzn1MX2MPSOfELQeHBtsPXO4yeEEto/erQYl5cIHrcnAzw43WJ1 +g8qw9JlnOqtwwX6yu54cSu0hQNgsDWp8mR0fZYCEXHufPLh2QDJjocJFNkd0hpHr87n t9mw==
MIME-Version: 1.0
X-Received: by 10.49.105.36 with SMTP id gj4mr1019881qeb.56.1376060160535; Fri, 09 Aug 2013 07:56:00 -0700 (PDT)
Sender: benlaurie@gmail.com
Received: by 10.49.4.227 with HTTP; Fri, 9 Aug 2013 07:56:00 -0700 (PDT)
In-Reply-To: <201308070106.r7716UgN004651@new.toad.com>
References: <030F2A8C-1C25-4C91-88FD-C81AF44FA98E@openfortress.nl> <A2FA963F-FB8F-4CEE-9001-464A128F1EAD@openfortress.nl> <CAMm+LwjFBhQD+fzQyWbhyWwBNqAXUwC5u4EFivw+US1uCbBccQ@mail.gmail.com> <201308070106.r7716UgN004651@new.toad.com>
Date: Fri, 9 Aug 2013 15:56:00 +0100
X-Google-Sender-Auth: DffmglOJSPol_xfLy5jIdcQlBIA
Message-ID: <CAG5KPzy3=F=iw9-omKizcrQ4N03cDABs3WE61+K_VfP=+XmQyw@mail.gmail.com>
From: Ben Laurie <ben@links.org>
To: John Gilmore <gnu@toad.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: openpgp@ietf.org, "Rick van Rein \(OpenFortress\)" <rick@openfortress.nl>, Phillip Hallam-Baker <hallam@gmail.com>, "dane@ietf.org" <dane@ietf.org>
Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Aug 2013 15:00:47 -0000

On 7 August 2013 02:06, John Gilmore <gnu@toad.com>; wrote:
>> For what it is worth, I agree that using the DNS to store per-user data is
>> not a good approach. The DNS administration model is that it makes
>> assertions about network names and not individual users. Previous attempts
>> to put end users in the DNS have uniformly met with failure.
>>
>> But that does not mean that LDAP is a useful tool. LDAP has tons of
>> complexity and none of it does the slightest bit of good.
>
> The classic Internet protocol for providing per-user data is "finger",
> RFC 742 from 1977.  (Note by the way the illustrious users in the
> "examples" section.)  It has been updated a few times, most recently
> in RFC 1288 from 1991.  It is a Draft Standard.  Many people put their
> PGP public key in their .plan file for easy remote access via finger.
>
> Finger has two drawbacks for this purpose: It is not authenticated nor
> encrypted; and it is designed to be human-readable, not
> machine-readable.  But a simple finger-like protocol, authenticated
> and encrypted via keys anchored in DNSSEC, might not only fill the
> need to obtain keys, but also offer a secured and machine-readable
> replacement for the finger protocol.

https://datatracker.ietf.org/doc/draft-ietf-appsawg-webfinger/

>
>> Sounds like you are proposing this.
>> http://www.ietf.org/rfc/rfc4386.txt
>
> Well, no.  That just specifies a DNS RR for finding a server that
> includes X.509 stuff.  It doesn't define a protocol for getting the
> stuff from that server, nor is it generic to information beyond X.509.
>
>>> * draft-wouters-dane-openpgp-00
>>> * draft-wouters-dane-otrfp-00
>
> These actually specify how to get authenticated key material from the
> DNS.  (However, they don't encrypt the DNS transaction, so the
> identity of the user being communicated with is leaked to NSA and
> any other wiretappers...)
>
>         John
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp