IETF Logo Mail Archive

Re: [openpgp] [dane] The DANE draft

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 06 August 2015 09:58 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2D4C1B2BC7; Thu, 6 Aug 2015 02:58:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.711
X-Spam-Level:
X-Spam-Status: No, score=-3.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_46=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i-2whNdJI4kS; Thu, 6 Aug 2015 02:58:26 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92F711B2BC8; Thu, 6 Aug 2015 02:58:26 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id C5449BE7D; Thu, 6 Aug 2015 10:58:24 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nZyuWe_zd5oB; Thu, 6 Aug 2015 10:58:24 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id D5998BE4C; Thu, 6 Aug 2015 10:58:18 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1438855104; bh=CWhb7SlnpWA6USU/hLRHp5ZXCjXCHy41KJmSW15tcS8=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=mwH09MlLhx1akvP89sCE/7hTObqNsopZkgo1fQXW1yo0ve31upPqpEB+NEZGrjQ2o ssNVWn9Tq7Cnc4l02oL9VJOh6vh7QVBF7YHtrdhzxHCxZjOG8tDXhOOZVRUUXGjjYZ KslIxyQnWK6KSvxMfbjGpTMsmn7iNhAwyXH5Xx0E=
Message-ID: <55C32FBA.8080604@cs.tcd.ie>
Date: Thu, 06 Aug 2015 10:58:18 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Paul Wouters <paul@nohats.ca>, dane WG list <dane@ietf.org>
References: <CAMm+LwhYdBLXM8Td8q8SCnzgwywRgMx3wNKeS_Q0JSN4Lh7rZQ@mail.gmail.com> <87bnf1hair.fsf@alice.fifthhorseman.net> <alpine.LFD.2.11.1507250832510.854@bofh.nohats.ca> <87bnem2xjq.fsf@alice.fifthhorseman.net> <alpine.LFD.2.11.1508050331340.1451@bofh.nohats.ca> <55C1F35A.5070904@cs.tcd.ie> <B7419740-25C9-4F8D-85AE-FC6E11BCC038@vpnc.org> <55C22D64.9080507@strotmann.de> <alpine.LFD.2.11.1508060417450.16408@bofh.nohats.ca>
In-Reply-To: <alpine.LFD.2.11.1508060417450.16408@bofh.nohats.ca>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/y0fDfOyiE5Yb5tWhu6A6Nl72x1o>
Cc: IETF OpenPGP <openpgp@ietf.org>
Subject: Re: [openpgp] [dane] The DANE draft
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2015 09:58:30 -0000

Paul,

On 06/08/15 09:23, Paul Wouters wrote:
> On Wed, 5 Aug 2015, Carsten Strotmann wrote:
> 
>> for OPENPGPKEY/SMIMECERT zones, operators could (maybe SHOULD) use
>> NSEC/NSEC3 "narrow" signing to prevent "zone-walking".
> 
> email addresses are not secret. That is not the privacy you can protect
> at all. Anyone can either do a internet search or just attempt to
> deliver an email to figure out if the email address is valid.

That doesn't address my issue with this as a precedent. Nor the
case of negative DNS responses trivially leaking that someone at
my IP address wants to send a mail to <here> at this time. (And
yes, the trivially is a required part of the argument.)

And "are not secret" isn't, I think, the right comparison. For me,
the question is "if we want to experiment with user identifiers in
DNS names, can we do it in the least privacy unfriendly, but yet
practical, way as possible?"

Yes, some people may oversell the benefits of hashing or may believe
hashing is stronger than it is. Such mistaken beliefs however do not
make hashing worse than b32. Hashing is still a bit better.

> I might agree but I think the gain for this is so incredibly small, that
> I think the gain for use of online signers plus email address
> corrections by the smtp+dnssec combined server is actually a more likely
> and minorly useful thing to have.

Can you point me at a DNS server (or real specification for one)
that generates responses in any similar fashion? I'm not aware of
any that actually do, (even if they could do), but that my just be
my ignorance.

IMO even if there is a niche of DNS authoritative servers that
can operate in that manner, requiring that that niche be used
for the experiment makes it highly likely the experiment will
fail.

So my logic would be: if b32 is needed, the experiment will
likely fail as you can't do it on many servers. If b32 is not
needed, then let's just hash since that is less bad.

> And don't get me wrong. I'd rather see zonefiles with a hash than with
> base32 cut from an esthetical point of view.

Well, let's do that then:-)

S.


> 
> Paul
> 
> _______________________________________________
> openpgp mailing list
> openpgp@ietf.org
> https://www.ietf.org/mailman/listinfo/openpgp
>

v2.23.0 | Report a Bug | By Email