Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere

"Rick van Rein (OpenFortress)" <rick@openfortress.nl> Wed, 07 August 2013 06:31 UTC

Return-Path: <rick@openfortress.nl>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9F1021E8051; Tue, 6 Aug 2013 23:31:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.354
X-Spam-Level:
X-Spam-Status: No, score=-0.354 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R--3UINaY78N; Tue, 6 Aug 2013 23:31:23 -0700 (PDT)
Received: from smtp-vbr13.xs4all.nl (smtp-vbr13.xs4all.nl [194.109.24.33]) by ietfa.amsl.com (Postfix) with ESMTP id 5049321F9FBD; Tue, 6 Aug 2013 23:31:16 -0700 (PDT)
Received: from [10.0.1.225] (phantom.vanrein.org [83.161.146.46]) (authenticated bits=0) by smtp-vbr13.xs4all.nl (8.13.8/8.13.8) with ESMTP id r776V9wB073172 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 7 Aug 2013 08:31:10 +0200 (CEST) (envelope-from rick@openfortress.nl)
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
Content-Type: text/plain; charset=us-ascii
From: "Rick van Rein (OpenFortress)" <rick@openfortress.nl>
In-Reply-To: <30532.1375843681@sandelman.ca>
Date: Wed, 7 Aug 2013 08:31:08 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <DE184F9A-C85D-4A84-8CE4-BC6316BF9521@openfortress.nl>
References: <030F2A8C-1C25-4C91-88FD-C81AF44FA98E@openfortress.nl> <A2FA963F-FB8F-4CEE-9001-464A128F1EAD@openfortress.nl> <CAMm+LwjFBhQD+fzQyWbhyWwBNqAXUwC5u4EFivw+US1uCbBccQ@mail.gmail.com> <201308070106.r7716UgN004651@new.toad.com> <30532.1375843681@sandelman.ca>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.1508)
X-Virus-Scanned: by XS4ALL Virus Scanner
X-Mailman-Approved-At: Wed, 07 Aug 2013 00:05:32 -0700
Cc: openpgp@ietf.org, Phillip Hallam-Baker <hallam@gmail.com>, John Gilmore <gnu@toad.com>, "dane@ietf.org" <dane@ietf.org>
Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 06:31:30 -0000

Hello,

>> The classic Internet protocol for providing per-user data is "finger",
>> RFC 742 from 1977.

Love it.  My first play with redundant/reliable hosting was "fingerhosting", which
achieved 99.9999% uptime due to tripple servers of 99% each :)

>> Finger has two drawbacks for this purpose: It is not authenticated nor
>> encrypted;

Yes, so it is purely there for public data.  For such data, it's better-positioned user data than DNS.

>> and it is designed to be human-readable, not
>> machine-readable.

That ought to be good for some degree of privacy ;-) but this is why so many attempts are made to structure data in DNS but why I prefer LDAP with its large set of predefined techniques and formats -- and it's openness for DIY specs that won't clash due to the use of ASN1 OIDs.

I wouldn't mind seeing http://user@domain/ step into this cavity BTW -- HTTP must be the only protocol on the planet (well, sort of) that does not support usernames, and we are using this pattern very, very often nowadays.

>  Given IPv6, putting a unique IP
> address per hosted domain isn't so terrible, but having
>        % finger user@example.com

This would be an operational impossibility I fear.  If people need to get an IPv6 address per user to be able to run finger, then no admin will support it.  "Just use WebFinger", I can hear them say.

WebFinger by the way, is too far up the stack IMHO -- it queries the .well-known directory on a webserver, fills in a pattern and does a query.  Sounds more like DNS stuff to me, and a good application for http://user@domain/ -- the other obvious beneficiary being OpenID.  This might call for a SRV record of some kind in the DNS -- or an NAPTR.

> (yes, you can finger me for keys to check this message. John convinced me it
> the utility 15 years ago.)

Wonderful :)  If there were more like you it'd be the IPv6-added-value-showcase that could help the transport concur the World ;-)

-Rick