Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere
John Gilmore <gnu@toad.com> Wed, 07 August 2013 01:06 UTC
Return-Path: <gnu@toad.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B58DC21F9D9C; Tue, 6 Aug 2013 18:06:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o7zhiweaB1+J; Tue, 6 Aug 2013 18:06:34 -0700 (PDT)
Received: from new.toad.com (new.toad.com [209.237.225.253]) by ietfa.amsl.com (Postfix) with ESMTP id 8642621F9DAF; Tue, 6 Aug 2013 18:06:34 -0700 (PDT)
Received: from new.toad.com (localhost.localdomain [127.0.0.1]) by new.toad.com (8.12.9/8.12.9) with ESMTP id r7716UgN004651; Tue, 6 Aug 2013 18:06:30 -0700
Message-Id: <201308070106.r7716UgN004651@new.toad.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
In-reply-to: <CAMm+LwjFBhQD+fzQyWbhyWwBNqAXUwC5u4EFivw+US1uCbBccQ@mail.gmail.com>
References: <030F2A8C-1C25-4C91-88FD-C81AF44FA98E@openfortress.nl> <A2FA963F-FB8F-4CEE-9001-464A128F1EAD@openfortress.nl> <CAMm+LwjFBhQD+fzQyWbhyWwBNqAXUwC5u4EFivw+US1uCbBccQ@mail.gmail.com>
Comments: In-reply-to Phillip Hallam-Baker <hallam@gmail.com> message dated "Tue, 06 Aug 2013 14:51:23 -0400."
Date: Tue, 06 Aug 2013 18:06:30 -0700
From: John Gilmore <gnu@toad.com>
X-Mailman-Approved-At: Tue, 06 Aug 2013 22:58:50 -0700
Cc: "Rick van Rein (OpenFortress)" <rick@openfortress.nl>, "dane@ietf.org" <dane@ietf.org>, openpgp@ietf.org
Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 01:06:39 -0000
> For what it is worth, I agree that using the DNS to store per-user data is > not a good approach. The DNS administration model is that it makes > assertions about network names and not individual users. Previous attempts > to put end users in the DNS have uniformly met with failure. > > But that does not mean that LDAP is a useful tool. LDAP has tons of > complexity and none of it does the slightest bit of good. The classic Internet protocol for providing per-user data is "finger", RFC 742 from 1977. (Note by the way the illustrious users in the "examples" section.) It has been updated a few times, most recently in RFC 1288 from 1991. It is a Draft Standard. Many people put their PGP public key in their .plan file for easy remote access via finger. Finger has two drawbacks for this purpose: It is not authenticated nor encrypted; and it is designed to be human-readable, not machine-readable. But a simple finger-like protocol, authenticated and encrypted via keys anchored in DNSSEC, might not only fill the need to obtain keys, but also offer a secured and machine-readable replacement for the finger protocol. > Sounds like you are proposing this. > http://www.ietf.org/rfc/rfc4386.txt Well, no. That just specifies a DNS RR for finding a server that includes X.509 stuff. It doesn't define a protocol for getting the stuff from that server, nor is it generic to information beyond X.509. >> * draft-wouters-dane-openpgp-00 >> * draft-wouters-dane-otrfp-00 These actually specify how to get authenticated key material from the DNS. (However, they don't encrypt the DNS transaction, so the identity of the user being communicated with is leaked to NSA and any other wiretappers...) John
- Re: [openpgp] [dane] Storing public keys in DNS… … Phillip Hallam-Baker
- Re: [openpgp] [dane] Storing public keys in DNS o… John Gilmore
- Re: [openpgp] [dane] Storing public keys in DNS o… Michael Richardson
- Re: [openpgp] [dane] Storing public keys in DNS o… Mark Andrews
- Re: [openpgp] [dane] Storing public keys in DNS o… Rick van Rein (OpenFortress)
- Re: [openpgp] [dane] Storing public keys in DNS o… Rick van Rein (OpenFortress)
- Re: [openpgp] [dane] Storing public keys in DNS o… Paul Wouters
- Re: [openpgp] [dane] Storing public keys in DNS o… ianG
- Re: [openpgp] [dane] Storing public keys in DNS o… Ben Laurie
- Re: [openpgp] [dane] Storing public keys in DNS o… Paul Wouters