Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere

ianG <iang@iang.org> Fri, 09 August 2013 08:43 UTC

Return-Path: <iang@iang.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E45921F9E36 for <openpgp@ietfa.amsl.com>; Fri, 9 Aug 2013 01:43:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 58yyWWGcgqsx for <openpgp@ietfa.amsl.com>; Fri, 9 Aug 2013 01:43:09 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) by ietfa.amsl.com (Postfix) with ESMTP id F1DD021F9ADA for <openpgp@ietf.org>; Fri, 9 Aug 2013 01:43:08 -0700 (PDT)
Received: from tormenta.local (www2.futureware.at [78.41.115.142]) by virulha.pair.com (Postfix) with ESMTPSA id CC3C46D4A7; Fri, 9 Aug 2013 04:42:55 -0400 (EDT)
Message-ID: <5204AB8E.8020309@iang.org>
Date: Fri, 09 Aug 2013 11:42:54 +0300
From: ianG <iang@iang.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: openpgp@ietf.org
References: <030F2A8C-1C25-4C91-88FD-C81AF44FA98E@openfortress.nl> <A2FA963F-FB8F-4CEE-9001-464A128F1EAD@openfortress.nl> <CAMm+LwjFBhQD+fzQyWbhyWwBNqAXUwC5u4EFivw+US1uCbBccQ@mail.gmail.com> <201308070106.r7716UgN004651@new.toad.com> <alpine.LFD.2.10.1308081542460.28351@bofh.nohats.ca>
In-Reply-To: <alpine.LFD.2.10.1308081542460.28351@bofh.nohats.ca>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Aug 2013 08:43:22 -0000

On 8/08/13 22:44 PM, Paul Wouters wrote:
> On Tue, 6 Aug 2013, John Gilmore wrote:
>
>>>> * draft-wouters-dane-openpgp-00
>>>> * draft-wouters-dane-otrfp-00
>>
>> These actually specify how to get authenticated key material from the
>> DNS.


Would they work?

(yes, asking for forgiveness for not reading them here...)


> (However, they don't encrypt the DNS transaction, so the
>> identity of the user being communicated with is leaked to NSA and
>> any other wiretappers...)
>
> I would suggest we address DNS query privacy in a generic way for all
> DNS, although even if you just encrypt, it might not be enough when the
> adversary has so many listening points, and the user immediately uses
> the DNS information for another action (eg an IM message or sending an
> email)


If I was the NSA, I'd make sure that people were focussed on solving the 
entire encryption and traffic analysis problem.  Complete solution, end 
to end, with lots of options.  I'd fight like hell to stop them just 
solving the authentication problem.



iang