IETF Logo Mail Archive

Re: [openpgp] The DANE draft

Simon Josefsson <simon@josefsson.org> Thu, 30 July 2015 20:30 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6E851ACE9E; Thu, 30 Jul 2015 13:30:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ys3GFmh6fYVH; Thu, 30 Jul 2015 13:30:23 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDBC31ACE77; Thu, 30 Jul 2015 13:30:22 -0700 (PDT)
Received: from latte.josefsson.org ([155.4.17.3]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id t6UKU4PL024041 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Thu, 30 Jul 2015 22:30:05 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Paul Wouters <paul@nohats.ca>
References: <CAMm+LwhYdBLXM8Td8q8SCnzgwywRgMx3wNKeS_Q0JSN4Lh7rZQ@mail.gmail.com> <87si8dagiz.fsf@vigenere.g10code.de> <alpine.LFD.2.11.1507250656400.854@bofh.nohats.ca>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:150730:ogud@ogud.com::BKQTMAmbI0+O6qYE:4u7f
X-Hashcash: 1:22:150730:paul@nohats.ca::O5LAUn6/NBOzLkEr:Jjy6
X-Hashcash: 1:22:150730:wk@gnupg.org::REuC5UBXS/4ET53T:MoJq
X-Hashcash: 1:22:150730:openpgp@ietf.org::Y++BJQc0ysdtvZAf:Mt3U
X-Hashcash: 1:22:150730:dane@ietf.org::+bKdhcCx134st6Xs:Nvac
X-Hashcash: 1:22:150730:phill@hallambaker.com::fRCIlYoSkT55G9U2:DdO+
Date: Thu, 30 Jul 2015 22:30:03 +0200
In-Reply-To: <alpine.LFD.2.11.1507250656400.854@bofh.nohats.ca> (Paul Wouters's message of "Sat, 25 Jul 2015 08:19:04 -0400 (EDT)")
Message-ID: <87fv45v16c.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/j1XUvf_1-daanmW15WRYiH8TI5Y>
Cc: Werner Koch <wk@gnupg.org>, IETF OpenPGP <openpgp@ietf.org>, Phillip Hallam-Baker <phill@hallambaker.com>, Olafur Gudmundsson <ogud@ogud.com>, dane WG list <dane@ietf.org>
Subject: Re: [openpgp] The DANE draft
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2015 20:30:24 -0000

Paul Wouters <paul@nohats.ca> writes:

>> Here are some thoughts, anyway:
>>
>> - Why a new DNS record despite that the CERT type has PGP support for
>>  9 years now (RFC-4398).
>>
>>  The argument for a new record is that this makes parsing easier
>>  because there is no need to loop over the record's sub-types.  I do
>>  not consider it a valid argument because there is a need to loop
>>  anyway because there may be several DANE records for the same key.
>>  Adding an extra loop over the sub-types is a non-brainer and the
>>  selection logic to find the best matching record will be the same.
>
> Using subtypes for DNS is something the DNS people in general have
> concluded to be a wrong idea. As stated before, even Olafur who is one
> of the authors of the CERT RRtype advised us not to use CERT (or
> subtyping in general)

Then I believe that community should attempt to move RFC 2538/4398 to
historic.  I don't believe there is sufficient consensus for doing that
-- there is good use of CERT records already, although limited.

> Additionally, because the CERT record is a meta-container record,
> support for CERT is not good because to properly parse it you need
> all of openpgp and all of x509 and all of what other subtypes would
> be added later on. So instead of implementing CERT records partially,
> many DNS implementations just did not bother with it at all.

I disagree -- CERT can be implemented without understanding any of
OpenPGP or X.509, and it is implemented by DNS software already.

>>  GnuPG has support for such CERT records including a script to create
>>  them also for about 9 years.  It is not widely used because most users
>>  have no way to add records to their zone - that is the same problem
>>  for DANE of course.
>
> CERT wasn't widely used because frankly pgp is not widely used. Also,
> CERT without DNSSEC makes no sense

This is false -- CERT makes a lot of sense without DNSSEC, as OpenPGP
keys can be verified through the web of trust.  I don't believe
comparing deployment sizes should be a deciding factor in this context,
but I disagree with your notion that OpenPGP is not widely used.

/Simon

v2.23.0 | Report a Bug | By Email