Re: [openpgp] The DANE draft
Paul Wouters <paul@nohats.ca> Sun, 26 July 2015 15:42 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0230D1A9250 for <openpgp@ietfa.amsl.com>; Sun, 26 Jul 2015 08:42:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id REGHVC4Yfug3 for <openpgp@ietfa.amsl.com>; Sun, 26 Jul 2015 08:42:06 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F0C81A1BE7 for <openpgp@ietf.org>; Sun, 26 Jul 2015 08:42:06 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3mfT645QfRzD6j; Sun, 26 Jul 2015 17:42:04 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=CkVRsmou
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id X5DtlXVvBxrx; Sun, 26 Jul 2015 17:42:03 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 26 Jul 2015 17:42:03 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 97193800AD; Sun, 26 Jul 2015 11:42:02 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1437925322; bh=4g6RDfKgUzWxUYXIU9PWHhROlZ49xiU+Vj5c6pvTmJY=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=CkVRsmouM+T+utuKIwlya5tsgtpXV1pOrMOvNLbpR6zgWM1TM7TB8LReDinx5FFEH xUzgvw5+CblQfc3uK2jhb5aNr63Z58DAtp4HrGO/N9WobYFCIY5K607BbKa86w52K/ zkL5rs+ZoGN9wHRyo6zPMBys7/EgF1nvmv5DZQmE=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.1/8.15.1/Submit) with ESMTP id t6QFg1WE002698; Sun, 26 Jul 2015 11:42:02 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Sun, 26 Jul 2015 11:42:01 -0400
From: Paul Wouters <paul@nohats.ca>
To: Phillip Hallam-Baker <phill@hallambaker.com>
In-Reply-To: <CAMm+LwhGCtoNrLcDKA8PDDSM5DJN50G1Y+6V99v1hB9eyzjkgw@mail.gmail.com>
Message-ID: <alpine.LFD.2.11.1507261124270.32550@bofh.nohats.ca>
References: <CAMm+LwhYdBLXM8Td8q8SCnzgwywRgMx3wNKeS_Q0JSN4Lh7rZQ@mail.gmail.com> <87bnf1hair.fsf@alice.fifthhorseman.net> <CAMm+LwhGCtoNrLcDKA8PDDSM5DJN50G1Y+6V99v1hB9eyzjkgw@mail.gmail.com>
User-Agent: Alpine 2.11 (LFD 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/cf0P17WBoH0WJJqGx7EwYadlS0I>
Cc: IETF OpenPGP <openpgp@ietf.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Subject: Re: [openpgp] The DANE draft
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jul 2015 15:42:11 -0000
On Sat, 25 Jul 2015, Phillip Hallam-Baker wrote: > Agreed. But OpenPGP already has a fairly effective key distribution infrastructure. You mean 3 or so commonly used pgp key servers, with the main MIT one being down for some considerable time recently? I takes about 5 firewall rules for any nationastate to block you from fetching pgp keys. > I am happy to leverage the DNS as one way to validate keys but it can't be the only way. And the way it is designed means it > isn't actually a particularly convenient one. No one saying it must be the only way. How would you design it differently to make it more convenient? We have an easy known QNAME, a dedicated RRtype, a known specified wire format payload of something you can feed straight into any pgp/gpg tool, and a DNS presentation format that is ascii armor format in the same way as the RFC and openpgp tools use themselves. How can I make this more convenient for you? > Yes, every end entity should have their own key. But if all you do is domain validation then the domain owner is alway going > to be able to sign for alice@example.com by publishing a key. Right now with what you call "fairly effective key distribution infrastructure", anyone can make a key for phill@hallambaker.com and publish it there. Limited bogus keys to only those who control the domain you picked based on the people running that domain seems like a great win to me. > Yes, the key servers work. They are deployed. The only reason to replace them would be with something better. if openpgpkey saw as much usage as for example OTR, these servers would contain millions of bogus keys generated by adversaries. As I said before, it's hard to create infrastructure that's worse than the current key server scheme. > It sounds to me like you're interested in DNSSEC Transparency. Perhaps > you could take that up in the trans WG? I know there are other people > interested there (i am!) but this discussion doesn't belong on the > OpenPGP mailing list. > > Yes, I have written a TRANS notary (besides the one Rob wrote). I know the spec. But that is an infrastructure targeted at a > single task and working within a set of rather obnoxious constraints (PKIX). > > Right now, that discussion certainly does not belong in TRANS any more than OpenPGP. I am suggesting we use > therightkey@ietf.org for that sort of discussion. <trans wg chair hat> There is currently interest in picking up CT for DNSSEC. One of items that needs discussing is which records to allow in the log. Some of that discussion would definitly be useful on the trans mailing list. </hat> Paul
- [openpgp] The DANE draft Phillip Hallam-Baker
- Re: [openpgp] The DANE draft Werner Koch
- Re: [openpgp] The DANE draft Stephen Farrell
- Re: [openpgp] The DANE draft Aaron Zauner
- Re: [openpgp] The DANE draft Aaron Zauner
- Re: [openpgp] The DANE draft Stephen Farrell
- Re: [openpgp] The DANE draft Daniel Kahn Gillmor
- Re: [openpgp] The DANE draft Paul Wouters
- Re: [openpgp] The DANE draft Paul Wouters
- Re: [openpgp] The DANE draft Paul Wouters
- Re: [openpgp] The DANE draft Phillip Hallam-Baker
- Re: [openpgp] The DANE draft Phillip Hallam-Baker
- Re: [openpgp] The DANE draft Phillip Hallam-Baker
- Re: [openpgp] The DANE draft Paul Wouters
- Re: [openpgp] [dane] The DANE draft Paul Wouters
- Re: [openpgp] The DANE draft Paul Wouters
- Re: [openpgp] The DANE draft Watson Ladd
- Re: [openpgp] The DANE draft Paul Wouters
- Re: [openpgp] [dane] The DANE draft Werner Koch
- Re: [openpgp] The DANE draft Werner Koch
- Re: [openpgp] The DANE draft Olafur Gudmundsson
- Re: [openpgp] The DANE draft Simon Josefsson
- Re: [openpgp] The DANE draft Daniel Kahn Gillmor
- Re: [openpgp] The DANE draft Paul Wouters
- Re: [openpgp] [dane] The DANE draft Stephen Farrell
- Re: [openpgp] [dane] The DANE draft Stephen Farrell
- Re: [openpgp] [dane] The DANE draft Paul Hoffman
- Re: [openpgp] [dane] The DANE draft Paul Hoffman
- Re: [openpgp] The DANE draft Daniel Kahn Gillmor
- Re: [openpgp] [dane] The DANE draft Daniel Kahn Gillmor
- Re: [openpgp] [dane] The DANE draft Paul Wouters
- Re: [openpgp] [dane] The DANE draft Hosnieh Rafiee
- Re: [openpgp] [dane] The DANE draft Paul Wouters
- Re: [openpgp] [dane] The DANE draft Hosnieh Rafiee
- Re: [openpgp] [dane] The DANE draft Hosnieh Rafiee
- Re: [openpgp] [dane] The DANE draft Vincent Breitmoser
- Re: [openpgp] [dane] The DANE draft Stephen Farrell
- Re: [openpgp] [dane] The DANE draft Paul Wouters
- Re: [openpgp] [dane] The DANE draft Jiankang Yao
- Re: [openpgp] [dane] The DANE draft Daniel Kahn Gillmor