Re: [pkix] [smime] Key lookup service via draft-bhjl-x509-srv-00
"Miller, Timothy J." <tmiller@mitre.org> Thu, 24 March 2016 17:35 UTC
Return-Path: <tmiller@mitre.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2C3E12D709; Thu, 24 Mar 2016 10:35:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9oJC6goEPCcj; Thu, 24 Mar 2016 10:35:43 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id B6CDD12D768; Thu, 24 Mar 2016 10:35:29 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 460506C0401; Thu, 24 Mar 2016 13:35:29 -0400 (EDT)
Received: from imshyb01.MITRE.ORG (imshyb01.mitre.org [129.83.29.2]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 33F016C039A; Thu, 24 Mar 2016 13:35:29 -0400 (EDT)
Received: from imshyb02.MITRE.ORG (129.83.29.3) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Thu, 24 Mar 2016 13:35:28 -0400
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1130.7 via Frontend Transport; Thu, 24 Mar 2016 13:35:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.onmicrosoft.com; s=selector1-mitre-org; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=PHO58UZrLAuaCeqojZo37jdSVgfaIlZobT1p1OZX68o=; b=WrhLSXUFpBUqfniUeAUb2zvFKoQTlWd7DsietUWzlRQWiCHj6wNX6fx4GhW2g5NfDnf1wNlIX/+XlouPZrmlROj/s3CaJmgIBJT7hsJTiwEOdUZvjnFgEf0Xn33QthIIgECLJ5IsHRW+wsE6m10HDVIROp/cU0lQFcz5E0CrGQo=
Received: from BY1PR09MB0920.namprd09.prod.outlook.com (10.162.144.157) by BY1PR09MB0918.namprd09.prod.outlook.com (10.162.144.155) with Microsoft SMTP Server (TLS) id 15.1.434.16; Thu, 24 Mar 2016 17:35:22 +0000
Received: from BY1PR09MB0920.namprd09.prod.outlook.com ([10.162.144.157]) by BY1PR09MB0920.namprd09.prod.outlook.com ([10.162.144.157]) with mapi id 15.01.0434.019; Thu, 24 Mar 2016 17:35:22 +0000
From: "Miller, Timothy J." <tmiller@mitre.org>
To: John R Levine <johnl@taugh.com>
Thread-Topic: [smime] Key lookup service via draft-bhjl-x509-srv-00
Thread-Index: AQHRhTGmh22EPby4TE+kk5RKeaJMBp9nWoUA///EeQCAAGy0AIAA+HcQgAAwjICAACNwUA==
Date: Thu, 24 Mar 2016 17:35:21 +0000
Message-ID: <BY1PR09MB0920D9D77D591080E5929631AE820@BY1PR09MB0920.namprd09.prod.outlook.com>
References: <CAAFsWK3HEXDgqONxBohBCGMKk2qMa230fxcNEaGhoTwQZVYQoQ@mail.gmail.com> <alpine.OSX.2.11.1603221443230.18473@ary.lan> <CAAFsWK2Xbw0eU2oz4edtmPH5PhwJgQkTYWKhFruZnCnD37c_CQ@mail.gmail.com> <alpine.OSX.2.11.1603231431110.4624@ary.lan> <FB501B0B-999D-45E4-A739-4D561A25275B@mitre.org> <CAAFsWK1p-_HNYwM1B-p8MMo58u2hURW45ytKr_1f3h+XKDS5wA@mail.gmail.com> <BY1PR09MB09201BC92CD9FD1E76703D7FAE820@BY1PR09MB0920.namprd09.prod.outlook.com> <alpine.OSX.2.11.1603241107510.9761@ary.lan>
In-Reply-To: <alpine.OSX.2.11.1603241107510.9761@ary.lan>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: taugh.com; dkim=none (message not signed) header.d=none;taugh.com; dmarc=none action=none header.from=mitre.org;
x-originating-ip: [192.160.51.86]
x-ms-office365-filtering-correlation-id: ccc60deb-e382-4f08-d099-08d3540aad26
x-microsoft-exchange-diagnostics: 1; BY1PR09MB0918; 5:+dPkSbb9X0JoBG9J+ly2Apl+G80c/x1jVLSp2GgJDC5xYT6Zp72FGskRVgpG/P+3gkkXcnjuF9DIxnELWDvA8eDdnyfZXc0G0iB1VHRgIGxKsWeoh/XldaR3lHlW4OvDwJo2mqRpGQRoDZB6zL5Kig==; 24:hQopPAsxwMr+rUVXoE8yizRvGWOH1EceEq/OVkObo+AjfgTMAxUiSGCfM0iH8Z/woeIMytNZkzKPxFN4Mt0fNZfogORW9senFaNpccW/1hA=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR09MB0918;
x-microsoft-antispam-prvs: <BY1PR09MB09184F05A8C6B987C217CF45AE820@BY1PR09MB0918.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001); SRVR:BY1PR09MB0918; BCL:0; PCL:0; RULEID:; SRVR:BY1PR09MB0918;
x-forefront-prvs: 0891BC3F3D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(66066001)(87936001)(93886004)(1096002)(5004730100002)(92566002)(230783001)(6116002)(4326007)(19580405001)(86362001)(102836003)(122556002)(76176999)(11100500001)(50986999)(1220700001)(2906002)(5003600100002)(74316001)(19580395003)(10400500002)(2900100001)(54356999)(3846002)(2950100001)(106116001)(3280700002)(5008740100001)(99286002)(586003)(33656002)(77096005)(110136002)(5002640100001)(76576001)(3660700001)(189998001); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR09MB0918; H:BY1PR09MB0920.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Mar 2016 17:35:21.8905 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR09MB0918
X-OriginatorOrg: mitre.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/0y3ICrwO4AC-a-f6-cv_KJtUl3I>
Cc: PKIX <pkix@ietf.org>, IETF SMIME <smime@ietf.org>
Subject: Re: [pkix] [smime] Key lookup service via draft-bhjl-x509-srv-00
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2016 17:35:53 -0000
> I wouldn't disagree, but I would also point out that there are a lot of people > who are eager to add a per-domain key lookup to their mail service. > There are proposals in DANE to publish PGP and S/MIME keys directly in the > DNS which are a bad idea for various reasons, but I don't see any reason that > a domain operator shouldn't be able to offer a key server if it wants. Scott > Rose at NIST and Richard Lau at ICANN have expressed interest in the DANE > versions, so I'd like to give them an option that could work. DANE's purpose is to allow me to clearly associate a trust anchor to a domain name, which is critical to resolve the "How do I signal which CA is authoritative?" problem in TLS/SSL, but I'm not sure that ports over to S/MIME. In TLS the association between DNS name and a CA is virtually always 1:1 (domain name owner and the service owner are the same organization), but in S/MIME it's 1:many (the domain name owner and email users are not always the same organization; e.g., yahoo.com, gmail.com, hotmail.com, &etc.). Providing an option sounds good on paper, but in practice not so much. Options add complexity and ambiguity, and that leads to violated expectations, which is counter to the goal of having something that "just works" such that it can be taken up without penalty. Simplicity serves that goal far better. > My main concern would be to keep it crystal clear that the key server > semantics are "foo.com asserts this is the key for bob@foo.com" rather than > "this is the key for bob@foo.com". A certificate repository is, at best, relaying *stale* information it got from somewhere else. Only the MUA actually knows what keys are held by the user at any given moment. So why have a middleman? Convenience? Convenient access to the MUA's knowledge can be had without a central repository. Why else? -- T
- [pkix] Key lookup service via draft-bhjl-x509-srv… Wei Chuang
- Re: [pkix] Key lookup service via draft-bhjl-x509… John R Levine
- Re: [pkix] Key lookup service via draft-bhjl-x509… Wei Chuang
- Re: [pkix] Key lookup service via draft-bhjl-x509… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Wei Chuang
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Wei Chuang
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… Wei Chuang
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Michael StJohns
- Re: [pkix] [smime] Key lookup service via draft-b… John Levine