Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere

Mark Andrews <marka@isc.org> Wed, 07 August 2013 03:10 UTC

Return-Path: <marka@isc.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A526821F9A0C; Tue, 6 Aug 2013 20:10:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.482
X-Spam-Level:
X-Spam-Status: No, score=-2.482 tagged_above=-999 required=5 tests=[AWL=0.117, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LDi5HdZrqqSl; Tue, 6 Aug 2013 20:09:58 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id C4F8221F9A1C; Tue, 6 Aug 2013 20:09:54 -0700 (PDT)
Received: from mx.pao1.isc.org (localhost [127.0.0.1]) by mx.pao1.isc.org (Postfix) with ESMTP id A3271C948E; Wed, 7 Aug 2013 03:09:16 +0000 (UTC) (envelope-from marka@isc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1375844993; bh=rV3w1l26c7cVuyctCvcvawM3wTvSazWuzeunCvzJqg4=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=ViBkdT3Y0+TpnQIX1FhsfzrJBevkki3G6AP6gsf3u0TVdl9+P/bldI0UmSkSDNwva zjMbqq0bCHeY1z6JOWkDZfrA/qGB31o2Ns+MbqUWfcyUhN9dvNjG2p1AqYB9ZLLIcA /TSSt/D2wMZopL1SwFrq6VrR/+XSVFZVCKmTkPn8=
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP; Wed, 7 Aug 2013 03:09:16 +0000 (UTC) (envelope-from marka@isc.org)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id B226616037C; Wed, 7 Aug 2013 03:13:30 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id FpDWHKe_4u9A; Wed, 7 Aug 2013 03:13:26 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 1B80A16037A; Wed, 7 Aug 2013 03:13:26 +0000 (UTC)
Received: from drugs.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id A66A1160082; Wed, 7 Aug 2013 03:13:25 +0000 (UTC)
Received: from drugs.dv.isc.org (localhost [IPv6:::1]) by drugs.dv.isc.org (Postfix) with ESMTP id A569C3814077; Wed, 7 Aug 2013 13:09:09 +1000 (EST)
To: Michael Richardson <mcr+ietf@sandelman.ca>
From: Mark Andrews <marka@isc.org>
References: <030F2A8C-1C25-4C91-88FD-C81AF44FA98E@openfortress.nl> <A2FA963F-FB8F-4CEE-9001-464A128F1EAD@openfortress.nl> <CAMm+LwjFBhQD+fzQyWbhyWwBNqAXUwC5u4EFivw+US1uCbBccQ@mail.gmail.com> <201308070106.r7716UgN004651@new.toad.com> <30532.1375843681@sandelman.ca>
In-reply-to: Your message of "Tue, 06 Aug 2013 22:48:01 -0400." <30532.1375843681@sandelman.ca>
Date: Wed, 07 Aug 2013 13:09:09 +1000
Message-Id: <20130807030909.A569C3814077@drugs.dv.isc.org>
X-DCC--Metrics: post.isc.org; whitelist
X-Mailman-Approved-At: Tue, 06 Aug 2013 22:58:50 -0700
Cc: "Rick van Rein \(OpenFortress\)" <rick@openfortress.nl>, openpgp@ietf.org, John Gilmore <gnu@toad.com>, "dane@ietf.org" <dane@ietf.org>
Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 03:10:04 -0000

> John Gilmore <gnu@toad.com>; wrote:
>     >> For what it is worth, I agree that using the DNS to store per-user data is
>     >> not a good approach. The DNS administration model is that it makes
>     >> assertions about network names and not individual users. Previous attempts
>     >> to put end users in the DNS have uniformly met with failure.
>     >>
>     >> But that does not mean that LDAP is a useful tool. LDAP has tons of
>     >> complexity and none of it does the slightest bit of good.
> 
>     > The classic Internet protocol for providing per-user data is "finger",
>     > RFC 742 from 1977.  (Note by the way the illustrious users in the
>     > "examples" section.)  It has been updated a few times, most recently
>     > in RFC 1288 from 1991.  It is a Draft Standard.  Many people put their
>     > PGP public key in their .plan file for easy remote access via finger.
> 
>     > Finger has two drawbacks for this purpose: It is not authenticated nor
>     > encrypted; and it is designed to be human-readable, not
>     > machine-readable.  But a simple finger-like protocol, authenticated
>     > and encrypted via keys anchored in DNSSEC, might not only fill the
>     > need to obtain keys, but also offer a secured and machine-readable
>     > replacement for the finger protocol.
> 
> Alas, finger ignores the MX records, and the standard client does not pass
> the entire command line argument in the query (making multi-tenant hard).
> 
> This effectively means that one has to run the fingerd on the web server,
> as many want "example.com" to answer the same as "www.example.com", and HTTP
> doesn't do SRV lookup either.
> 
> If finger could be updated to look up a SRV RR to find the finger server,
> it would be very so much easier to deploy.  Given IPv6, putting a unique IP
> address per hosted domain isn't so terrible, but having
>         % finger user@example.com
> 
> send "user@example.com"; as it's query would help too.
> 
> I frankly think that having per-user data in DNS is not a horrible thing.
> It is true that the DNS administrators often will not like this, but as was
> pointed out in a WG session last week, many them will respond to a request
> like:
>         "please insert
>                 user.example.com IN NS ns1.user.example.com"
> 
> even when they don't understand:
>      "please delegate user.example.com to ns1.user.example.com"
> 
> (yes, you can finger me for keys to check this message. John convinced me it
> the utility 15 years ago.)
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>;, Sandelman Software Works

DNS mailbox format for users is just plain wrong.  It results in
namespace collisions between users and hosts which has all sorts
of implications on delegations.  Additionally DNS name normalisation
is nowhere near similar to the normalisation used for user names
in mail servers so even if you addressed the namespace collision
there are still major problem.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org