IETF Logo Mail Archive

Re: [openpgp] The DANE draft

Werner Koch <wk@gnupg.org> Fri, 24 July 2015 12:30 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 320631A00A0 for <openpgp@ietfa.amsl.com>; Fri, 24 Jul 2015 05:30:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OmwSXyKIfIda for <openpgp@ietfa.amsl.com>; Fri, 24 Jul 2015 05:30:31 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5AD71A00DF for <openpgp@ietf.org>; Fri, 24 Jul 2015 05:30:22 -0700 (PDT)
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.80 #2 (Debian)) id 1ZIc7I-0004eR-T4 for <openpgp@ietf.org>; Fri, 24 Jul 2015 14:30:20 +0200
Received: from wk by vigenere.g10code.de with local (Exim 4.84 #3 (Debian)) id 1ZIc32-0005ea-Pl; Fri, 24 Jul 2015 14:25:56 +0200
From: Werner Koch <wk@gnupg.org>
To: Phillip Hallam-Baker <phill@hallambaker.com>
References: <CAMm+LwhYdBLXM8Td8q8SCnzgwywRgMx3wNKeS_Q0JSN4Lh7rZQ@mail.gmail.com>
Organisation: g10 Code GmbH
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
OpenPGP: id=F2AD85AC1E42B367; url=finger:wk@g10code.com
Mail-Followup-To: Phillip Hallam-Baker <phill@hallambaker.com>, IETF OpenPGP <openpgp@ietf.org>
Date: Fri, 24 Jul 2015 14:25:56 +0200
In-Reply-To: <CAMm+LwhYdBLXM8Td8q8SCnzgwywRgMx3wNKeS_Q0JSN4Lh7rZQ@mail.gmail.com> (Phillip Hallam-Baker's message of "Fri, 24 Jul 2015 12:40:31 +0200")
Message-ID: <87si8dagiz.fsf@vigenere.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/tkej-wtejNtcX6u0EgBRMKyYlGU>
Cc: IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] The DANE draft
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2015 12:30:34 -0000

On Fri, 24 Jul 2015 12:40, phill@hallambaker.com said:

> 2) If people find it does not meet OpenPGP needs, they should say so and
> have no qualms about objecting. It is much more important that there be a
> spec people use than that the document progress quickly.

I was a bit disappointed by the process: I learned about the I-D too late
and was surprised that it started out at the OpenPGP WG mailing list (2
years ago?) with just a few messages and then continued at the DANE list
without having notified the OpenPGP list.  IIRC, I send some thoughts on
this to the GnuPG list but people told me that it is too late for
changes to the I-D - so I gave up.

Here are some thoughts, anyway:

- Why a new DNS record despite that the CERT type has PGP support for
  9 years now (RFC-4398). 

  The argument for a new record is that this makes parsing easier
  because there is no need to loop over the record's sub-types.  I do
  not consider it a valid argument because there is a need to loop
  anyway because there may be several DANE records for the same key.
  Adding an extra loop over the sub-types is a non-brainer and the
  selection logic to find the best matching record will be the same.

  The CERT record is more flexible because it also allows the use of an
  indirect specification via fingerprint.  DANE however could use the
  straight PGP record and would be done.

  GnuPG has support for such CERT records including a script to create
  them also for about 9 years.  It is not widely used because most users
  have no way to add records to their zone - that is the same problem
  for DANE of course.

- The use of SHA-224 (really, see below) to map addresses to valid DNS
  characters is pure overkill.  The shorter SHA-1 is sufficient for
  this.  Counter argument is that SHA-1 shall be phased out.  I have not
  looked up that IETF statement but I hope it states the "use of SHA-1
  for cryptographic purposes".  For example rsync(1) still uses MD5
  which is sound for its purpose (SHA-1 would be better due to hardware
  support but that is another story). 

  Actually it is using SHA-256 truncated to the size of SHA-224.  Why
  not using SHA-224 (which has a different IV)?  That is surprising for
  any implementer.

- The I-D says about the local-part of the mail address:  

      ... it is turned into lowercase and hashed using the SHA2-256
      [RFC5754] algorithm, with the hash truncated to 28 octets ...

  Lowercasing UTF-8 characters is not easy and a likely reasons for
  interoperability problems.  It would be better to only require
  lowercasing ASCII characters and keep characters > 127 as they are.
   
- There is no hint in the RFC on how to find a key to verify a
  signature.  This can't be done via a mail address but requires the
  fingerprint (or as of today the key-id).

- How shall a key be retrieved or updated after a mail account has been
  closed?  It should be possible to verify signatures at all times.

  Thus another non DNS service to keep the key available needs to be
  setup too (e.g. a keyserver).  That service is also required to allow
  dissemination of revocation certificates.  IPGP records could be kept
  as long as the mail address has not been re-assigned.

- Implementation nit: The I-D states:

      The lookup result MUST pass DNSSEC validation; if validation
      reaches any state other than "Secure", the verification MUST be
      treated as a failure.

  As an implementer I see no way to do this without adding a full
  fledged DNSSEC resolver.
  

> People have been attempting to put email address related records into the
> DNS since the first drafts of the spec and none has taken off.

That is a general problem.  You need the support from the mail
providers.

> I do not find the idea of relying on the DNS for my keys remotely
> comforting and would not want to rely on such a record directly. The DNS
> has no persistence to it. Give me the MIT keyserver any day.

When intending to send a mail the first time the DNS is pretty useful
because it creates an association between mail address and key.  Thus
you can pick the right key and the recipient won't be annoyed by
encrypted mails they can't decrypt because the keyservers carry several
"faked" keys for their mail address.



Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

v2.23.0 | Report a Bug | By Email