[openpgp] Re: Certificate discovery over HKP
Daniel Huigens <d.huigens@protonmail.com> Tue, 08 April 2025 18:34 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@mail2.ietf.org
Delivered-To: openpgp@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D7B671923C9A for <openpgp@mail2.ietf.org>; Tue, 8 Apr 2025 11:34:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JzIGz2RSevhk for <openpgp@mail2.ietf.org>; Tue, 8 Apr 2025 11:34:09 -0700 (PDT)
Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch [185.70.43.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 59BF41923C7C for <openpgp@ietf.org>; Tue, 8 Apr 2025 11:34:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1744137248; x=1744396448; bh=Lejubk1xzPfMP2gRNGeCwq9vaOgLQ9FkbcyCLkMWixI=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post; b=m0/wilSpaBS8tuptnCVYkPd9Ry6ahKXtVZS/ju5ArI9EnPKKFAAOfZjHv8YjKwPPU ostd8fcpY28zyc2Lvfkw4v57ctDNasF4KbuQaf9jI+ZXUKykf20VRNQuOtlvnSa47b ZjtojYxAgAXaN5XiP76rmWj08O4+F7I3A2T/7oQXN2JdsnHzD+EEDXPnZSCQMpkhZj yMiBJvpctxQ/Jm6u3MfRtPwHpxs7am9AgRMu8J7BuwCHPvNhvAvI+q1Qfqd2qQpzsZ RMXlmCnOnnNe4EcbeIkRWhDFrKYxzdesPhbYlX1JJwVd2kLVZP56B1DWMQkUp/a2si vaDFDrL8bKwRw==
Date: Tue, 08 Apr 2025 18:34:04 +0000
To: Andrew Gallagher <andrewg=40andrewg.com@dmarc.ietf.org>
From: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <-0Idgc9O4unvMWFMaXJXFqwK7IJCVXnK2ElLGWK8XjHd3juaDt-bShTiuu0V8KCDR_Uubqjr33I4F-A8xp9KpZkoJcORRXSHII9NXNaU64s=@protonmail.com>
In-Reply-To: <F51333E5-1AC3-4216-B720-4EBEFA3B6AAB@andrewg.com>
References: <F51333E5-1AC3-4216-B720-4EBEFA3B6AAB@andrewg.com>
Feedback-ID: 2934448:user:proton
X-Pm-Message-ID: 92a65f0b1b511c7b5ed15e36dbba6827f3f1e7b8
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: DECXTNVJRYA3K63I4QIPQNFZDUHVYULV
X-Message-ID-Hash: DECXTNVJRYA3K63I4QIPQNFZDUHVYULV
X-MailFrom: d.huigens@protonmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "openpgp\\\\@ietf.org" <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: Certificate discovery over HKP
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/j8eGe5PbcjL_FYWENvhSw2pF3b8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
Hi Andrew & all, In the discussion at the summit, it was mentioned that DNS over HTTPS could be used as a proxy by clients who need it. So, even if we go with the SRV option, I don't think we need to build anything related to that into keyservers, tbh. As Bart mentioned at the summit, it would be useful for us to be able to tell customers with custom domains to set a SRV record (obviously we already have to tell them to set a bunch of other DNS records anyway), as opposed to having to serve an openpgpkey subdomain for them and request a TLS cert for that and so on. > we can require that policy file lookups are covered by a > TLS certificate, but cannot yet require that SRV records be > covered by DNSSEC In theory we could require that, it's just a question of whether the security gain is worth preventing sites without DNSSEC from using this, right? Also, in the cold-email case, the most serious attack a MITM could do is to prevent the OpenPGP cert from being served altogether, and that's possible in either case (e.g. by just removing the openpgpkey subdomain DNS record). So, the case where the distinction matters is if you already have a valid cert, and would replace it with a new cert from a keyserver, without requiring e.g. a replacement key subpacket or other evidence that the new certificate is authentic. Best, Daniel
- [openpgp] Certificate discovery over HKP Andrew Gallagher
- [openpgp] Re: Certificate discovery over HKP Daniel Huigens
- [openpgp] Re: Certificate discovery over HKP Andrew Gallagher
- [openpgp] Re: Certificate discovery over HKP Vincent Breitmoser
- [openpgp] Re: Certificate discovery over HKP Daniel Huigens
- [openpgp] Re: Certificate discovery over HKP Andrew Gallagher
- [openpgp] Re: Certificate discovery over HKP Vincent Breitmoser
- [openpgp] Re: Certificate discovery over HKP Bart Butler
- [openpgp] Re: Certificate discovery over HKP Andrew Gallagher
- [openpgp] Re: Certificate discovery over HKP Andrew Gallagher