Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere
Ben Laurie <ben@links.org> Fri, 09 August 2013 15:00 UTC
Return-Path: <benlaurie@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E9FF21F99DC; Fri, 9 Aug 2013 08:00:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GofO3WCmnQDO; Fri, 9 Aug 2013 08:00:46 -0700 (PDT)
Received: from mail-qe0-x233.google.com (mail-qe0-x233.google.com [IPv6:2607:f8b0:400d:c02::233]) by ietfa.amsl.com (Postfix) with ESMTP id 1868D21E80A7; Fri, 9 Aug 2013 07:56:01 -0700 (PDT)
Received: by mail-qe0-f51.google.com with SMTP id nd7so2380111qeb.38 for <multiple recipients>; Fri, 09 Aug 2013 07:56:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=GAP2OeYJB2B1gK0MUZzpvDPFr9T5EjONvZJwayGr460=; b=dF0ExLxPvgAEH+GaP1zzmHVn7yWo0C1X7s4NRXmIBCwgbSyupZ/PIKTGBeDHtdl4zI bwXZ07sTxsDvseL9bsYFfDYc76Wceu4wNOktLc5rn0k5WMmuIvKCjlL4NyPHi/Rmr4n4 PmX5RKkz1z9qCvFMCCGGqqYRDvaWNB0czUc7G8NFBAdXiBSyAR/9UBxhIclu0trDjruV GGvizhRvoiQ6Cplqhxzn1MX2MPSOfELQeHBtsPXO4yeEEto/erQYl5cIHrcnAzw43WJ1 +g8qw9JlnOqtwwX6yu54cSu0hQNgsDWp8mR0fZYCEXHufPLh2QDJjocJFNkd0hpHr87n t9mw==
MIME-Version: 1.0
X-Received: by 10.49.105.36 with SMTP id gj4mr1019881qeb.56.1376060160535; Fri, 09 Aug 2013 07:56:00 -0700 (PDT)
Sender: benlaurie@gmail.com
Received: by 10.49.4.227 with HTTP; Fri, 9 Aug 2013 07:56:00 -0700 (PDT)
In-Reply-To: <201308070106.r7716UgN004651@new.toad.com>
References: <030F2A8C-1C25-4C91-88FD-C81AF44FA98E@openfortress.nl> <A2FA963F-FB8F-4CEE-9001-464A128F1EAD@openfortress.nl> <CAMm+LwjFBhQD+fzQyWbhyWwBNqAXUwC5u4EFivw+US1uCbBccQ@mail.gmail.com> <201308070106.r7716UgN004651@new.toad.com>
Date: Fri, 09 Aug 2013 15:56:00 +0100
X-Google-Sender-Auth: DffmglOJSPol_xfLy5jIdcQlBIA
Message-ID: <CAG5KPzy3=F=iw9-omKizcrQ4N03cDABs3WE61+K_VfP=+XmQyw@mail.gmail.com>
From: Ben Laurie <ben@links.org>
To: John Gilmore <gnu@toad.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: openpgp@ietf.org, "Rick van Rein (OpenFortress)" <rick@openfortress.nl>, Phillip Hallam-Baker <hallam@gmail.com>, "dane@ietf.org" <dane@ietf.org>
Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Aug 2013 15:00:47 -0000
On 7 August 2013 02:06, John Gilmore <gnu@toad.com> wrote: >> For what it is worth, I agree that using the DNS to store per-user data is >> not a good approach. The DNS administration model is that it makes >> assertions about network names and not individual users. Previous attempts >> to put end users in the DNS have uniformly met with failure. >> >> But that does not mean that LDAP is a useful tool. LDAP has tons of >> complexity and none of it does the slightest bit of good. > > The classic Internet protocol for providing per-user data is "finger", > RFC 742 from 1977. (Note by the way the illustrious users in the > "examples" section.) It has been updated a few times, most recently > in RFC 1288 from 1991. It is a Draft Standard. Many people put their > PGP public key in their .plan file for easy remote access via finger. > > Finger has two drawbacks for this purpose: It is not authenticated nor > encrypted; and it is designed to be human-readable, not > machine-readable. But a simple finger-like protocol, authenticated > and encrypted via keys anchored in DNSSEC, might not only fill the > need to obtain keys, but also offer a secured and machine-readable > replacement for the finger protocol. https://datatracker.ietf.org/doc/draft-ietf-appsawg-webfinger/ > >> Sounds like you are proposing this. >> http://www.ietf.org/rfc/rfc4386.txt > > Well, no. That just specifies a DNS RR for finding a server that > includes X.509 stuff. It doesn't define a protocol for getting the > stuff from that server, nor is it generic to information beyond X.509. > >>> * draft-wouters-dane-openpgp-00 >>> * draft-wouters-dane-otrfp-00 > > These actually specify how to get authenticated key material from the > DNS. (However, they don't encrypt the DNS transaction, so the > identity of the user being communicated with is leaked to NSA and > any other wiretappers...) > > John > _______________________________________________ > openpgp mailing list > openpgp@ietf.org > https://www.ietf.org/mailman/listinfo/openpgp
- Re: [openpgp] [dane] Storing public keys in DNS… … Phillip Hallam-Baker
- Re: [openpgp] [dane] Storing public keys in DNS o… John Gilmore
- Re: [openpgp] [dane] Storing public keys in DNS o… Michael Richardson
- Re: [openpgp] [dane] Storing public keys in DNS o… Mark Andrews
- Re: [openpgp] [dane] Storing public keys in DNS o… Rick van Rein (OpenFortress)
- Re: [openpgp] [dane] Storing public keys in DNS o… Rick van Rein (OpenFortress)
- Re: [openpgp] [dane] Storing public keys in DNS o… Paul Wouters
- Re: [openpgp] [dane] Storing public keys in DNS o… ianG
- Re: [openpgp] [dane] Storing public keys in DNS o… Ben Laurie
- Re: [openpgp] [dane] Storing public keys in DNS o… Paul Wouters