Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere

Paul Wouters <paul@cypherpunks.ca> Thu, 08 August 2013 19:45 UTC

Return-Path: <paul@cypherpunks.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38E1511E820C; Thu, 8 Aug 2013 12:45:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.67
X-Spam-Level:
X-Spam-Status: No, score=-1.67 tagged_above=-999 required=5 tests=[AWL=-0.930, BAYES_20=-0.74]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BK-lrVSUOY7a; Thu, 8 Aug 2013 12:44:55 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) by ietfa.amsl.com (Postfix) with ESMTP id 56A4711E820D; Thu, 8 Aug 2013 12:44:54 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3cB0R65FYlz47F; Thu, 8 Aug 2013 15:44:50 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id UnGSUa1YaXQK; Thu, 8 Aug 2013 15:44:49 -0400 (EDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by mx.nohats.ca (Postfix) with ESMTP; Thu, 8 Aug 2013 15:44:48 -0400 (EDT)
Received: by bofh.nohats.ca (Postfix, from userid 500) id E3F2E80EC9; Thu, 8 Aug 2013 15:44:49 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id D686380E8F; Thu, 8 Aug 2013 15:44:49 -0400 (EDT)
Date: Thu, 8 Aug 2013 15:44:49 -0400 (EDT)
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: John Gilmore <gnu@toad.com>
In-Reply-To: <201308070106.r7716UgN004651@new.toad.com>
Message-ID: <alpine.LFD.2.10.1308081542460.28351@bofh.nohats.ca>
References: <030F2A8C-1C25-4C91-88FD-C81AF44FA98E@openfortress.nl> <A2FA963F-FB8F-4CEE-9001-464A128F1EAD@openfortress.nl> <CAMm+LwjFBhQD+fzQyWbhyWwBNqAXUwC5u4EFivw+US1uCbBccQ@mail.gmail.com> <201308070106.r7716UgN004651@new.toad.com>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-Mailman-Approved-At: Thu, 08 Aug 2013 13:29:54 -0700
Cc: openpgp@ietf.org, "Rick van Rein \(OpenFortress\)" <rick@openfortress.nl>, Phillip Hallam-Baker <hallam@gmail.com>, "dane@ietf.org" <dane@ietf.org>
Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 19:45:01 -0000

On Tue, 6 Aug 2013, John Gilmore wrote:

>>> * draft-wouters-dane-openpgp-00
>>> * draft-wouters-dane-otrfp-00
>
> These actually specify how to get authenticated key material from the
> DNS.  (However, they don't encrypt the DNS transaction, so the
> identity of the user being communicated with is leaked to NSA and
> any other wiretappers...)

I would suggest we address DNS query privacy in a generic way for all
DNS, although even if you just encrypt, it might not be enough when the
adversary has so many listening points, and the user immediately uses
the DNS information for another action (eg an IM message or sending an
email)

Paul