IETF Logo Mail Archive

Re: [pkix] [smime] Key lookup service via draft-bhjl-x509-srv-00

"John R Levine" <johnl@taugh.com> Wed, 23 March 2016 20:28 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04B1712D8B7 for <pkix@ietfa.amsl.com>; Wed, 23 Mar 2016 13:28:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=AFExgYKy; dkim=pass (1536-bit key) header.d=taugh.com header.b=Xgj86FDv
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id anSzYzaMGt1b for <pkix@ietfa.amsl.com>; Wed, 23 Mar 2016 13:28:43 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 316D312D8B5 for <pkix@ietf.org>; Wed, 23 Mar 2016 13:28:43 -0700 (PDT)
Received: (qmail 64082 invoked from network); 23 Mar 2016 20:28:42 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=fa51.56f2fc7a.k1603; bh=8+a3VhvfSOIHNXI5Qe3ZWksbLUmtJHhD/II1u0zAm7g=; b=AFExgYKydDt7CTXpCsYar6EL0ajqjOdyK11bprBzmYnJ/DpIYGU7liIVp7Z4KAucPm1fcN21/trA0T6rc/ZUDZTTKpW5baZ559hYrB4yCd5VVXkVdFZd181/rPUlmtO6vGV1H0ZmyEFu/iuNXEMHEDG2SXGqShgvpXtaIvIapRKhILzSZvuSKif6ICBnWiz3CuAMtsOCeKy/4p+pLt2PKcoAellsdjdoWCC3iX/UlmtCrhg7QOTTb69iodkoMHkU
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=fa51.56f2fc7a.k1603; bh=8+a3VhvfSOIHNXI5Qe3ZWksbLUmtJHhD/II1u0zAm7g=; b=Xgj86FDvRVgORgyLq2mDzBi/CmZdZ9K+X11Y8Zzbk6lrld4CJEMpBk6qP3InFA6ddzJ5AxJ3oATZqDx72NE0Sgrsd3ksEecyxOno5KWr922RaY0jVHhQIQ0dYOxMyr/4kp/uD/BE7lF0haTS/GED7inc4aia7A4axQAId/DCKQKwD8qWhjyJb/eO9ZhMZoPhX5BeVklg9UkXLwn3IO+/samh9DKtGwVwPVFA6Cp3VoW/U6Ezt35jfmLGrOapNbdW
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 23 Mar 2016 20:28:42 -0000
Date: Wed, 23 Mar 2016 16:28:41 -0400
Message-ID: <alpine.OSX.2.11.1603231625530.4624@ary.lan>
From: John R Levine <johnl@taugh.com>
To: "Miller, Timothy J." <tmiller@mitre.org>
In-Reply-To: <FB501B0B-999D-45E4-A739-4D561A25275B@mitre.org>
References: <CAAFsWK3HEXDgqONxBohBCGMKk2qMa230fxcNEaGhoTwQZVYQoQ@mail.gmail.com> <alpine.OSX.2.11.1603221443230.18473@ary.lan> <CAAFsWK2Xbw0eU2oz4edtmPH5PhwJgQkTYWKhFruZnCnD37c_CQ@mail.gmail.com> <alpine.OSX.2.11.1603231431110.4624@ary.lan> <FB501B0B-999D-45E4-A739-4D561A25275B@mitre.org>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/58b8qoA633qCG74Whis_NCVDPro>
Cc: PKIX <pkix@ietf.org>, Brian Haberman <brian@innovationslab.net>, IETF SMIME <smime@ietf.org>
Subject: Re: [pkix] [smime] Key lookup service via draft-bhjl-x509-srv-00
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2016 20:28:45 -0000

> So an authoritative service makes sense in an Enterprise context, but not in a consumer context.  How do you preserve consumer choice if Yahoo! owns their email service, but they want to certify keys elsewhere?

Welcome to the key semantics undrainable swamp of despair.

If the domain says "I'm authoritative for all my users" and one of the 
users says "no you're not", there's no mechanical way to resolve that. 
You can punt to the user, which is known not to work ("Accept domain 
self-signed key for igor@example.org gargle jargon blurch OK!") or else 
you can appeal to a credible third party.  Except the third parties are 
CAs and they're not as credible as we might wish.

This is why the draft tip-toes around the edge of the swamp, for fear of 
falling in.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

v2.23.0 | Report a Bug | By Email