Re: [pkix] [smime] Key lookup service via draft-bhjl-x509-srv-00
Wei Chuang <weihaw@google.com> Thu, 24 March 2016 13:35 UTC
Return-Path: <weihaw@google.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36B2012DB1E for <pkix@ietfa.amsl.com>; Thu, 24 Mar 2016 06:35:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Imy4TIJ1dKMd for <pkix@ietfa.amsl.com>; Thu, 24 Mar 2016 06:35:27 -0700 (PDT)
Received: from mail-vk0-x229.google.com (mail-vk0-x229.google.com [IPv6:2607:f8b0:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46C3112DA18 for <pkix@ietf.org>; Thu, 24 Mar 2016 06:34:51 -0700 (PDT)
Received: by mail-vk0-x229.google.com with SMTP id e6so58100544vkh.2 for <pkix@ietf.org>; Thu, 24 Mar 2016 06:34:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=rygVlTyFGKAw6vPPvYLTLAfit4NcoIwhTFIyBsFMmE0=; b=UjqaX4JomKtNn8MrxYqmoh7Bhi1DqqyOsWSRC+aE4x9rSueQeve3P8BWvIVLCV7oA7 X0HRY/mcHBo7Hhem+/aUJThCj2T0A+1L0TvwW26Yxm3QZ+jg1Wq6C0KBHYyzy2LAT8sC y3C3SpjYB7jf9lFGJmFTlTvLAjR/CCLdwtr68LZ968NNs5VL3xAFxoQZoS3e4kajMtWe QMuNHR5MPgUS9hSMjuswgKEbeypcnuA3UIGUoFZ9QsvsJ6mpmursTnbuFEDsRDIfvFck JtFOe7juXzsJYuRmq11Av0xFRCJ7SY0VNbOQCXj9Q4CCpbcNZbjDi0ibsLHPnPDheMWM MSLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=rygVlTyFGKAw6vPPvYLTLAfit4NcoIwhTFIyBsFMmE0=; b=hzvzVK+r2wEbjBx5zenK7E4Cv7d3CEb7oLth9KoSDw1kmoYa4knUy9Wj3F0olSVKAG c3KwoV33hoDd1PjunpJORoR6RM9iMzk0ZWp4Xccg5EXMSOsG6C93omtkpPdhTtmaNg5y xCmUjBXrH3C8KkVkokh9Y6zl/rqulS/g8v6mMFZ7jkaStyynOkytCV9zxzMItTa6MCVr xsdyLtXEuKJlZKnZCjhr+NLuNPI5n4tAB2Z/7kgbIseMrC8nDhAQDsXpJlwA5QEkDKIV vMvPKPNx0yOkjayYXBWxrlClO8Vb0SgbViHVtpyD/rpXJed+y53RvCdSdgUrlb/A20FY pRyQ==
X-Gm-Message-State: AD7BkJJCAb/Lt8/WploNRCypxTh12k91J71kM3YjdgpOkTdcf4a7q+60eTiDLrvev9+2H6WyKgxZKC7cfFkUQ+4G
MIME-Version: 1.0
X-Received: by 10.31.11.201 with SMTP id 192mr4401098vkl.135.1458826490176; Thu, 24 Mar 2016 06:34:50 -0700 (PDT)
Received: by 10.159.36.179 with HTTP; Thu, 24 Mar 2016 06:34:50 -0700 (PDT)
In-Reply-To: <BY1PR09MB09201BC92CD9FD1E76703D7FAE820@BY1PR09MB0920.namprd09.prod.outlook.com>
References: <CAAFsWK3HEXDgqONxBohBCGMKk2qMa230fxcNEaGhoTwQZVYQoQ@mail.gmail.com> <alpine.OSX.2.11.1603221443230.18473@ary.lan> <CAAFsWK2Xbw0eU2oz4edtmPH5PhwJgQkTYWKhFruZnCnD37c_CQ@mail.gmail.com> <alpine.OSX.2.11.1603231431110.4624@ary.lan> <FB501B0B-999D-45E4-A739-4D561A25275B@mitre.org> <CAAFsWK1p-_HNYwM1B-p8MMo58u2hURW45ytKr_1f3h+XKDS5wA@mail.gmail.com> <BY1PR09MB09201BC92CD9FD1E76703D7FAE820@BY1PR09MB0920.namprd09.prod.outlook.com>
Date: Thu, 24 Mar 2016 06:34:50 -0700
Message-ID: <CAAFsWK3KS9HnNpQdkdY7skBhMaGz9h1rbXTCZn6Nj-+TdNPu1w@mail.gmail.com>
From: Wei Chuang <weihaw@google.com>
To: "Miller, Timothy J." <tmiller@mitre.org>
Content-Type: multipart/alternative; boundary="001a11455152bce127052ecb82b6"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/D0_CRrR92xYH3ZrsLDcBZDSlims>
Cc: PKIX <pkix@ietf.org>, Brian Haberman <brian@innovationslab.net>, John R Levine <johnl@taugh.com>, IETF SMIME <smime@ietf.org>
Subject: Re: [pkix] [smime] Key lookup service via draft-bhjl-x509-srv-00
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2016 13:35:30 -0000
On Thu, Mar 24, 2016 at 5:25 AM, Miller, Timothy J. <tmiller@mitre.org> wrote: > > Could Yahoo! (in this example) not provide a means for their users to > update > > the key lookup service? As the user is authenticated through their UI, > he or > > she could upload the keys they want in a secure way. (A realistic > > deployment caveat might be that Yahoo! puts some restrictions on e.g. > > Yahoo! might not support self-signed, weak key sizes etc). One might > argue > > Yahoo! wouldn't want to provide a key service, but then that's fine. > Without > > the SRV RR, things should be defined to fall back to the current state of > > things. > > First, consider a user forwarding mail from Yahoo! to some other service, > or using a single client to access multiple mailboxes but replying from a > single address. Who attests to what in these cases? > I don't believe a key service complicates these scenarios, rather as you say the underlying PKI 'who' question does. > > Second, by adding provider-side infrastructure you're increasing the cost > of providing the mail service with no direct benefit to the mail provider > himself. There's an indirect benefit in which you're making the service > slightly more attractive to a certain niche of users, but that's probably > not even measurable as that niche is exceedingly small. IOW, there's no > incentive. > Providing a key service would be up to the provider. Some might choose not to, and thereby solely use MUA based distribution. Where a key service is provided, I would think there could be these benefits: * Keep private the initial conversation * Certificate renewal upon expiry or similarly when revoked * Describe the allowed trust anchor (for verification which shouldn't be all the time) * Potentially handle email address name variants e.g. subaddressing, capitalization -Wei > > My advice is to keep it as simple as possible. MUAs interact directly > with users, so it should be MUAs that provide assurance, not mail > providers. This relieves the provider from having to worry about it, and > users can opt in or out at will using any mail provider or key > infrastructure they choose (up to and including roll-your-own). > > -- T > > >
- [pkix] Key lookup service via draft-bhjl-x509-srv… Wei Chuang
- Re: [pkix] Key lookup service via draft-bhjl-x509… John R Levine
- Re: [pkix] Key lookup service via draft-bhjl-x509… Wei Chuang
- Re: [pkix] Key lookup service via draft-bhjl-x509… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Wei Chuang
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Wei Chuang
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… Wei Chuang
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Michael StJohns
- Re: [pkix] [smime] Key lookup service via draft-b… John Levine