Re: [openpgp] OpenPGP private certification
Phillip Hallam-Baker <phill@hallambaker.com> Wed, 08 April 2015 18:29 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD7D31A8AD9 for <openpgp@ietfa.amsl.com>; Wed, 8 Apr 2015 11:29:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IVG4CIiC6jJ1 for <openpgp@ietfa.amsl.com>; Wed, 8 Apr 2015 11:29:15 -0700 (PDT)
Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC1E21A8A60 for <openpgp@ietf.org>; Wed, 8 Apr 2015 11:29:14 -0700 (PDT)
Received: by lbbqq2 with SMTP id qq2so65018350lbb.3 for <openpgp@ietf.org>; Wed, 08 Apr 2015 11:29:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=WHopKEohkmYknwzYsAiJ48Cv1fiP40xL/bIYcJbzMbI=; b=EJAo3iFOM0w515v4dOWsyC7ePqm01sHpbhojdCXOb+h7r0YprgLWICySuRxE0k8v9J TkAD9DEq9tscIMy4nbhQjDS+p6LRZj2V2iWKlu052rgdpr6tH4f7yiQMHN/hZ0Z5mhuU FgRxizSCnrBubYW3BdxN7zfjYFvxPC2Qz0S23f0EvHnZo2ZTLBhUbdw9AoVN5MsVHrl/ M9AjWFAuI22WUQ5Ly2dA5EVOsycMTFAFLK82Bq0G8DJ+17c8ZLpi7WBXkaHFp71me3Kc Jhn3IAinx0xPN2gHgupeUpPYMqphOvgXY40cBrBxWj76ZHvvZMWauU2g/Avz2ToLFQt0 y0lw==
MIME-Version: 1.0
X-Received: by 10.152.88.1 with SMTP id bc1mr1086104lab.79.1428517753413; Wed, 08 Apr 2015 11:29:13 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.147.165 with HTTP; Wed, 8 Apr 2015 11:29:13 -0700 (PDT)
In-Reply-To: <1428516305.5137.36.camel@scientia.net>
References: <CAA7UWsUz65C0GAQo8Yf7ZOeT9BYy+NLV5pbbPg+Ok0-72ca1eA@mail.gmail.com> <1426721882.4249.72.camel@scientia.net> <5510578A.80304@iang.org> <1427140788.10191.75.camel@scientia.net> <5510B7CF.8060308@iang.org> <1427168189.10191.241.camel@scientia.net> <5511FE82.6010807@iang.org> <1427243451.10191.375.camel@scientia.net> <5512F137.80702@iang.org> <CAHBU6isgirHnx+gHP+OiHuvhzD+1OTCShCHEkhWcqEmUn9qnzQ@mail.gmail.com> <CAMm+LwiXKf1DvgbHaZoJnKdCVbak-jderv6Z8KDs9xPEbUuYQQ@mail.gmail.com> <1427343948.23692.14.camel@scientia.net> <CAMm+Lwi5bVTujuazTXw7oRty7n5RtsObEfNrJzmbtPiOb-X25g@mail.gmail.com> <m27fu3fsom.fsf@usma1mc-0csx92.kendall.corp.akamai.com> <CAMm+LwjBuZfP4NwRCy23_d9eRtcfUiLKdyZOu+jYT72HfB0g9g@mail.gmail.com> <87vbhlt8tg.fsf@alice.fifthhorseman.net> <CAMm+Lwjo5eyCHNahqWcwUBoaevCw2s3WAeq-2=maW=JEpCFWxA@mail.gmail.com> <sjmvbheioxv.fsf@securerf.ihtfp.org> <CAMm+Lwi4zsnQoX0R0CRbmDceLKi8B3ipHnBvSqNgo8FA8UYh3w@mail.gmail.com> <87mw2i28nr.fsf@vigenere.g10code.de> <CAMm+Lwief440=CdrQrjma1qrFHJYKTZAM5gZ1N9mMVikFvDzSw@mail.gmail.com> <87vbh6zqsy.fsf@vigenere.g10code.de> <CAMm+Lwiq71ToxKwPgLPKhGvPCC5QRjeVeV+V8yOiG+e91JYmhQ@mail.gmail.com> <1428516305.5137.36.camel@scientia.net>
Date: Wed, 08 Apr 2015 14:29:13 -0400
X-Google-Sender-Auth: nb2qakKVLV9IF3zjF7vhnWzxhEg
Message-ID: <CAMm+Lwjyt9+u8zL_UpSFK8P55-b751PnijLjKXSvSQ+EWz7XvQ@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Christoph Anton Mitterer <calestyo@scientia.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/rFK8jsii0dxaX4pztKwWzJvyXN0>
Cc: IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] OpenPGP private certification
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 18:29:17 -0000
On Wed, Apr 8, 2015 at 2:05 PM, Christoph Anton Mitterer <calestyo@scientia.net> wrote: > On Wed, 2015-04-08 at 10:15 -0400, Phillip Hallam-Baker wrote: >> Personally, I believe that owning your personal DNS name is as >> important for security as having a keypair. > Why should it give you any security? Same reason that backing up your files is the number one security priority: security means being able to assess and control risks to your assets. Confidentiality is only one concern and one that is fairly low down. Integrity is almost always more important. If I invest in hallam@gmail.com then I am making myself vulnerable to a change of policy. I have little choice but to pay if they decide to start charging $50/month. >> I have a huge part of my >> brand invested in hallam@gmail.com which I don't own. Which is why I >> switched to phill@hallambaker.com for ietf work. But I have yet to win >> that argument. > It only gives you that some company cannot easily take away your mail > address, but OTOH it's probably an illusion to believe that your own > domain name protects you much more from this. > > See cases like the German person called "Shell", who had shell.de and > guess who has it now. Which is one reason I don't trust ICANN's vision of DNSSEC. But still, security is risk control and not risk elimination - something I have been saying for over 20 years now. >> I really don't like having ICANN as my root CA either. DNSSEC is a >> monolithic, single rooted scheme which I don't consider very >> trustworthy because of that. > Sure, it has similar problems like the X.509 PKI, just on a less extreme > scale. If trades one set of problems for another. > But no one should try to impose a strict hierarchical trust model on > OpenPGP anyway. So I don't think it's a particularly good idea to > somehow combine OpenPGP with DNS/DNSSEC/DANE. I think there are ways to combine PGP ideas with DNS and DNSSEC in a useful manner, DANE is not one of them. The approach I have been using most recently is an extension of the .onion idea. But instead of making a key fingerprint a subdomain, I make it the root. So example.com.<fingerprint> becomes an assertion 'the names in example.com as controlled by a valid, current security policy signed by a key matching <fingerprint>. Now that is an approach I can tie servers to in admin files.
- Re: [openpgp] New encryption formats for messaging Christoph Anton Mitterer
- Re: [openpgp] New encryption formats for messaging ianG
- Re: [openpgp] New encryption formats for messaging Christoph Anton Mitterer
- Re: [openpgp] New encryption formats for messaging ianG
- Re: [openpgp] New encryption formats for messaging Christoph Anton Mitterer
- [openpgp] Manifesto - who is the new OpenPGP for? ianG
- Re: [openpgp] Manifesto - who is the new OpenPGP … Christoph Anton Mitterer
- Re: [openpgp] Manifesto - who is the new OpenPGP … Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … Falcon Darkstar Momot
- Re: [openpgp] Manifesto - who is the new OpenPGP … Werner Koch
- Re: [openpgp] Manifesto - who is the new OpenPGP … Stephen Paul Weber
- Re: [openpgp] Manifesto - who is the new OpenPGP … Stephen Paul Weber
- Re: [openpgp] Manifesto - who is the new OpenPGP … Wyllys Ingersoll
- Re: [openpgp] Manifesto - who is the new OpenPGP … Clint Adams
- Re: [openpgp] Manifesto - who is the new OpenPGP … Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … ianG
- Re: [openpgp] Manifesto - who is the new OpenPGP … ianG
- Re: [openpgp] Manifesto - who is the new OpenPGP … Tim Bray
- Re: [openpgp] Manifesto - who is the new OpenPGP … Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … Christoph Anton Mitterer
- Re: [openpgp] Manifesto - who is the new OpenPGP … John Kreznar
- Re: [openpgp] Manifesto - who is the new OpenPGP … Werner Koch
- Re: [openpgp] Manifesto - who is the new OpenPGP … Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … Brian Sniffen
- Re: [openpgp] Manifesto - who is the new OpenPGP … Bill Frantz
- Re: [openpgp] Manifesto - who is the new OpenPGP … Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … Christoph Anton Mitterer
- Re: [openpgp] Manifesto - who is the new OpenPGP … Christoph Anton Mitterer
- [openpgp] OpenPGP private certification [was: Re:… Daniel Kahn Gillmor
- Re: [openpgp] OpenPGP private certification [was:… Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification [was:… Daniel Kahn Gillmor
- Re: [openpgp] OpenPGP private certification [was:… Phillip Hallam-Baker
- [openpgp] public logging of e-mail certificates [… Daniel Kahn Gillmor
- Re: [openpgp] public logging of e-mail certificat… Phillip Hallam-Baker
- Re: [openpgp] public logging of e-mail certificat… Daniel Kahn Gillmor
- Re: [openpgp] public logging of e-mail certificat… Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification [was:… Derek Atkins
- Re: [openpgp] public logging of e-mail certificat… Brian Sniffen
- Re: [openpgp] OpenPGP private certification [was:… Phillip Hallam-Baker
- Re: [openpgp] public logging of e-mail certificat… Phillip Hallam-Baker
- Re: [openpgp] Manifesto - who is the new OpenPGP … ianG
- Re: [openpgp] OpenPGP private certification Werner Koch
- Re: [openpgp] OpenPGP private certification Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification Christoph Anton Mitterer
- Re: [openpgp] OpenPGP private certification Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification Christoph Anton Mitterer
- Re: [openpgp] OpenPGP private certification Werner Koch
- Re: [openpgp] OpenPGP private certification Derek Atkins
- Re: [openpgp] OpenPGP private certification Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification Christoph Anton Mitterer
- Re: [openpgp] OpenPGP private certification Christoph Anton Mitterer
- Re: [openpgp] OpenPGP private certification Phillip Hallam-Baker
- Re: [openpgp] OpenPGP private certification Christoph Anton Mitterer
- Re: [openpgp] OpenPGP private certification Werner Koch
- Re: [openpgp] OpenPGP private certification ianG
- Re: [openpgp] OpenPGP private certification [was:… ianG
- Re: [openpgp] public logging of e-mail certificat… Phillip Hallam-Baker
- Re: [openpgp] public logging of e-mail certificat… ianG
- [openpgp] New encryption formats for messaging David Leon Gil
- Re: [openpgp] OpenPGP private certification Ben McGinnes