IETF Logo Mail Archive

Re: [openpgp] The DANE draft

Paul Wouters <paul@nohats.ca> Sun, 26 July 2015 15:42 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0230D1A9250 for <openpgp@ietfa.amsl.com>; Sun, 26 Jul 2015 08:42:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id REGHVC4Yfug3 for <openpgp@ietfa.amsl.com>; Sun, 26 Jul 2015 08:42:06 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F0C81A1BE7 for <openpgp@ietf.org>; Sun, 26 Jul 2015 08:42:06 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3mfT645QfRzD6j; Sun, 26 Jul 2015 17:42:04 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=CkVRsmou
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id X5DtlXVvBxrx; Sun, 26 Jul 2015 17:42:03 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 26 Jul 2015 17:42:03 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 97193800AD; Sun, 26 Jul 2015 11:42:02 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1437925322; bh=4g6RDfKgUzWxUYXIU9PWHhROlZ49xiU+Vj5c6pvTmJY=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=CkVRsmouM+T+utuKIwlya5tsgtpXV1pOrMOvNLbpR6zgWM1TM7TB8LReDinx5FFEH xUzgvw5+CblQfc3uK2jhb5aNr63Z58DAtp4HrGO/N9WobYFCIY5K607BbKa86w52K/ zkL5rs+ZoGN9wHRyo6zPMBys7/EgF1nvmv5DZQmE=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.1/8.15.1/Submit) with ESMTP id t6QFg1WE002698; Sun, 26 Jul 2015 11:42:02 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Sun, 26 Jul 2015 11:42:01 -0400
From: Paul Wouters <paul@nohats.ca>
To: Phillip Hallam-Baker <phill@hallambaker.com>
In-Reply-To: <CAMm+LwhGCtoNrLcDKA8PDDSM5DJN50G1Y+6V99v1hB9eyzjkgw@mail.gmail.com>
Message-ID: <alpine.LFD.2.11.1507261124270.32550@bofh.nohats.ca>
References: <CAMm+LwhYdBLXM8Td8q8SCnzgwywRgMx3wNKeS_Q0JSN4Lh7rZQ@mail.gmail.com> <87bnf1hair.fsf@alice.fifthhorseman.net> <CAMm+LwhGCtoNrLcDKA8PDDSM5DJN50G1Y+6V99v1hB9eyzjkgw@mail.gmail.com>
User-Agent: Alpine 2.11 (LFD 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/cf0P17WBoH0WJJqGx7EwYadlS0I>
Cc: IETF OpenPGP <openpgp@ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [openpgp] The DANE draft
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jul 2015 15:42:11 -0000

On Sat, 25 Jul 2015, Phillip Hallam-Baker wrote:

> Agreed. But OpenPGP already has a fairly effective key distribution infrastructure.

You mean 3 or so commonly used pgp key servers, with the main MIT one
being down for some considerable time recently? I takes about 5 firewall
rules for any nationastate to block you from fetching pgp keys.

> I am happy to leverage the DNS as one way to validate keys but it can't be the only way. And the way it is designed means it
> isn't actually a particularly convenient one.

No one saying it must be the only way.

How would you design it differently to make it more convenient? We have
an easy known QNAME, a dedicated RRtype, a known specified wire format
payload of something you can feed straight into any pgp/gpg tool, and
a DNS presentation format that is ascii armor format in the same way as
the RFC and openpgp tools use themselves. How can I make this more
convenient for you?

> Yes, every end entity should have their own key. But if all you do is domain validation then the domain owner is alway going
> to be able to sign for alice@example.com by publishing a key.

Right now with what you call "fairly effective key distribution
infrastructure", anyone can make a key for phill@hallambaker.com and
publish it there. Limited bogus keys to only those who control the domain
you picked based on the people running that domain seems like a great
win to me.

> Yes, the key servers work. They are deployed. The only reason to replace them would be with something better. 

if openpgpkey saw as much usage as for example OTR, these servers would
contain millions of bogus keys generated by adversaries. As I said
before, it's hard to create infrastructure that's worse than the current
key server scheme.

>       It sounds to me like you're interested in DNSSEC Transparency.  Perhaps
>       you could take that up in the trans WG?  I know there are other people
>       interested there (i am!) but this discussion doesn't belong on the
>       OpenPGP mailing list.
> 
> Yes, I have written a TRANS notary (besides the one Rob wrote). I know the spec. But that is an infrastructure targeted at a
> single task and working within a set of rather obnoxious constraints (PKIX).
> 
> Right now, that discussion certainly does not belong in TRANS any more than OpenPGP. I am suggesting we use
> therightkey@ietf.org for that sort of discussion.

<trans wg chair hat>
There is currently interest in picking up CT for DNSSEC. One of items
that needs discussing is which records to allow in the log. Some of
that discussion would definitly be useful on the trans mailing list.
</hat>

Paul

v2.23.0 | Report a Bug | By Email