Re: [openpgp] Dnsdir last call review of draft-ietf-openpgp-crypto-refresh-12
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 20 November 2023 17:50 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CD87C15154E; Mon, 20 Nov 2023 09:50:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b="EYLbQSKQ"; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b="cIf3vc43"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tareJriRdDtq; Mon, 20 Nov 2023 09:50:15 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31585C1516E9; Mon, 20 Nov 2023 09:50:14 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1700502612; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=e8Ke36lj8kTwXq8p8y6jDedoE+2g86yzs5PwevT6iD8=; b=EYLbQSKQYgT6h74LYGuL52nh4HeLDEXThJn3nW/zLHIdwtanUOKPx240ejGj6PQRBADf7 rRqbUPB06iDhmkEAQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1700502612; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=e8Ke36lj8kTwXq8p8y6jDedoE+2g86yzs5PwevT6iD8=; b=cIf3vc43XMMTk9iIWRXiXvvPkHB1JWVdUOkKJQl65y15yB1NggT4z9Lr5+ZVase2JlUvr HZAi6nJZVc+XJlTUzwB32vmJmOtrWhNqQUvq6bqEx20ba2zNcWGL63hvoSHMopzsI6ktevO uQMjK8cdogtjFSXpaXwKhBA/3HeXv+uf/tvdWr4R1RPGnTNxDkgaETPOkCgCQRZ7gYcXt2v jhOAkIXDqO/8+XodFOkjak3FO0UVRYa3fEh+m4Vpo5zJSGYNnTS1CaDbw1oz4bQq+EWtloo lRMW+mXQWXhj6Lu3QpQ8n/VEtpt2HhOEOOuX3Uvi9Yt5Ps77xsIY+8x9bv9Q==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 34C87F9E8; Mon, 20 Nov 2023 12:50:12 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 214EA203DC; Fri, 17 Nov 2023 14:42:40 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: David Blacka <davidb@verisign.com>, dnsdir@ietf.org
Cc: draft-ietf-openpgp-crypto-refresh.all@ietf.org, last-call@ietf.org, openpgp@ietf.org
In-Reply-To: <170014354534.50347.1519830214066732502@ietfa.amsl.com>
References: <170014354534.50347.1519830214066732502@ietfa.amsl.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Fri, 17 Nov 2023 14:42:38 -0500
Message-ID: <87bkbs180h.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/ixUaOBH_eMICkQnyyhmk5ZOa4BM>
Subject: Re: [openpgp] Dnsdir last call review of draft-ietf-openpgp-crypto-refresh-12
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Nov 2023 17:50:21 -0000
Hi David-- On Thu 2023-11-16 06:05:45 -0800, David Blacka via Datatracker wrote: > The sole mention of DNS is in 5.2.3.24 "Notation Data", where it says: > >> Names in the user namespace consist of a UTF-8 string tag followed by >> "@" followed by a DNS domain name. Note that the tag MUST NOT contain >> an "@" character. For example, the "sample" tag used by Example >> Corporation could be "sample@example.com". Names in a user space are >> owned and controlled by the owners of that domain. Obviously, it's >> bad form to create a new name in a DNS space that you don't >> own. Since the user namespace is in the form of an email address, >> implementers MAY wish to arrange for that address to reach a person >> who can be consulted about the use of the named tag. Note that due to >> UTF-8 encoding, not all valid user space name tags are valid email >> addresses. > > This is clear on the surface -- if one is using a "user namespace" identifier, > it should look like an email address. This is likely to be sufficient in > practice. However, as a DNS person, one wonders what is meant by "DNS domain > name" *precisely*. In particular, is it supposed to be an existing DNS domain > name? Is it dangerous if not? Are there limits on the length of the domain > name part (or the username part)? How does "UTF-8" encoding mesh with standard > DNS domain name formats? Do we expect the domain name part to be > "letters-digits-hyphens"? or can it be anything, differing from standard DNS > presentation format by UTF-8 encoding of non-ascii characters instead of > decimal encoding? > > My guess is that what is meant is that the DNS domain name part of the > identifier is an existing (at the time) domain name that SHOULD be controlled > by the user. Saying it is existing (or did exist) brings along many > restrictions that then need not be stated. > > These are very minor questions about a very minor part of this draft, however. Thanks for these notes! This is text that was inherited from RFC 4880, which this document revises, but the WG wasn't really chartered to fix these sort of ambiguities in the standard unless they didn't take , and no one proposed a concrete improvement either. For the future, If anyone from the DNSDIR or within the OpenPGP community feels inclined to clarify some of these ambiguities, one good place might be the internet draft i started which outlines similar concerns about ambiguities and lack of clarity in User ID conventions: https://datatracker.ietf.org/doc/draft-dkg-openpgp-userid-conventions/ In practice, i don't think anyone has identified real-world confusion in the namespacing of OpenPGP notation names, and in fact the practice of User ID conventions also doesn't have much in the way of real-world confusion. The only issue is that the documentation doesn't currently align with real-world practice. I agree with David's consensus that these aren't issues that need to be solved for the crypto-refresh draft, but i wanted to point out a potential locus of work for anyone who does feel inclined to clean this stuff up in the future. --dkg
- [openpgp] Dnsdir last call review of draft-ietf-o… David Blacka via Datatracker
- Re: [openpgp] [dnsdir] Dnsdir last call review of… Jim Reid
- Re: [openpgp] Dnsdir last call review of draft-ie… Daniel Kahn Gillmor