IETF Logo Mail Archive

Re: [pkix] [smime] Key lookup service via draft-bhjl-x509-srv-00

"John R Levine" <johnl@taugh.com> Thu, 24 March 2016 15:28 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 513F812DB82 for <pkix@ietfa.amsl.com>; Thu, 24 Mar 2016 08:28:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=j9UN9TsX; dkim=pass (1536-bit key) header.d=taugh.com header.b=jhXGBMPP
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UG7AAbibFEuw for <pkix@ietfa.amsl.com>; Thu, 24 Mar 2016 08:28:49 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3FF512DC54 for <pkix@ietf.org>; Thu, 24 Mar 2016 08:12:16 -0700 (PDT)
Received: (qmail 25176 invoked from network); 24 Mar 2016 15:12:16 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=6257.56f403d0.k1603; bh=qcxin0qj5Pfl49Stzu01VtmYwEDUKKIcpXvXQWOwz1A=; b=j9UN9TsX/TH95qWx1fSE5ghg6FvVqVDU84x7DNoHdkT13JsQbeL3JXDwQMRX+eF6AX5B+WxNWX5kEBytRWY87aH1LRQK/BylI2F54wXQxorrp9TNQx4TN5MCOrYQAleeCWkjRyopzuppNgodfDk0J/PMs8qZct9R7DudNBmJjnxzSGy+cc44ihC+YgQcyHkEJKujfL3C3HqzLLtBoXeT52VFNP6aRFPZwtbmR1Fmqygdj8aa+hFmCcoOZR8AAtXx
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=6257.56f403d0.k1603; bh=qcxin0qj5Pfl49Stzu01VtmYwEDUKKIcpXvXQWOwz1A=; b=jhXGBMPPZ60iEMZxvCyuy28rZKBhQGROt20jIxOvDGGyXGKA7O4rQ1vlbvAXXdn115oJb1uUgMmUexQz/fiuA4Bz1rhhOn7LdrMBpEaWOwk5mdG/k4SkXnfTYopRu4jygrtXdX2PpJjCsk2PKCOd9oQ7Gc97fTi0jqxju5DnuF+9Wi5PM4gF6Rdt03dr/jddIBnwMNthwXPPdxqOVC3g57RHw2waeinvMZZoiBmA9ZZ/ITbDO5yk02SJ8ZwRHJkT
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 24 Mar 2016 15:12:15 -0000
Date: Thu, 24 Mar 2016 11:12:15 -0400
Message-ID: <alpine.OSX.2.11.1603241107510.9761@ary.lan>
From: John R Levine <johnl@taugh.com>
To: "Miller, Timothy J." <tmiller@mitre.org>
In-Reply-To: <BY1PR09MB09201BC92CD9FD1E76703D7FAE820@BY1PR09MB0920.namprd09.prod.outlook.com>
References: <CAAFsWK3HEXDgqONxBohBCGMKk2qMa230fxcNEaGhoTwQZVYQoQ@mail.gmail.com> <alpine.OSX.2.11.1603221443230.18473@ary.lan> <CAAFsWK2Xbw0eU2oz4edtmPH5PhwJgQkTYWKhFruZnCnD37c_CQ@mail.gmail.com> <alpine.OSX.2.11.1603231431110.4624@ary.lan> <FB501B0B-999D-45E4-A739-4D561A25275B@mitre.org> <CAAFsWK1p-_HNYwM1B-p8MMo58u2hURW45ytKr_1f3h+XKDS5wA@mail.gmail.com> <BY1PR09MB09201BC92CD9FD1E76703D7FAE820@BY1PR09MB0920.namprd09.prod.outlook.com>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/JQ6H7X8m91sOBzC1hYPYj4T5SrI>
Cc: PKIX <pkix@ietf.org>, IETF SMIME <smime@ietf.org>
Subject: Re: [pkix] [smime] Key lookup service via draft-bhjl-x509-srv-00
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2016 15:28:51 -0000

> My advice is to keep it as simple as possible.  MUAs interact directly with users, so it should be MUAs that provide assurance, not mail providers.  This relieves the provider from having to worry about it, and users can opt in or out at will using any mail provider or key infrastructure they choose (up to and including roll-your-own).

I wouldn't disagree, but I would also point out that there are a lot of 
people who are eager to add a per-domain key lookup to their mail service. 
There are proposals in DANE to publish PGP and S/MIME keys directly in the 
DNS which are a bad idea for various reasons, but I don't see any reason 
that a domain operator shouldn't be able to offer a key server if it 
wants.  Scott Rose at NIST and Richard Lau at ICANN have expressed 
interest in the DANE versions, so I'd like to give them an option that 
could work.

My main concern would be to keep it crystal clear that the key server 
semantics are "foo.com asserts this is the key for bob@foo.com" rather 
than "this is the key for bob@foo.com".

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

v2.23.0 | Report a Bug | By Email