Re: [pkix] Key lookup service via draft-bhjl-x509-srv-00
"John R Levine" <johnl@taugh.com> Tue, 22 March 2016 20:38 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EBDF12D61E for <pkix@ietfa.amsl.com>; Tue, 22 Mar 2016 13:38:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=PO9KTf5j; dkim=pass (1536-bit key) header.d=taugh.com header.b=ZCwAzWDw
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e5knzsjQg22V for <pkix@ietfa.amsl.com>; Tue, 22 Mar 2016 13:38:20 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 376A512D975 for <pkix@ietf.org>; Tue, 22 Mar 2016 13:38:20 -0700 (PDT)
Received: (qmail 76450 invoked from network); 22 Mar 2016 20:38:19 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=12aa0.56f1ad3b.k1603; bh=GAiwdftYb52fJW9yIpqJKWHFmI9ckRyJ4ZkUPLmlFVI=; b=PO9KTf5jwC9GLCX1h2ne3vNSq+VwhU2oYg0yYuSp+0GugSB/iVSwEb5ZK6A0MjN/I73LUSMg55xncATmyZppVFMiRtaEfNwGScRpCzqs0d32MqLAD/gy96SPhKszXk+RpBKKgVM9bY6sQfcczxhs82CuKt8W1JDy29UOIyzvRQhaLGFOyM5pZUNqOLBzHMS+XGtaL8sFD3Sc6ISo1qYsHGwYRfqiHcSKMGcKf/BB4EY6FDQGyWj+ozsIHvZEjI69
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=12aa0.56f1ad3b.k1603; bh=GAiwdftYb52fJW9yIpqJKWHFmI9ckRyJ4ZkUPLmlFVI=; b=ZCwAzWDw1RnksOlnidy3vovNC67uYcs9rA/8/9YCvs2R/sI8O0WudgsRC3XQ5Azi555k/wt/NTx/OufTSLPo8vMUl7TTXSdJbbS+ZZNPuv27vjmHkaa3+zIggWZzg9eOb9XbfNmdfAGsPmyS/BmkFRBI9T4XYvR9OM4c2MN162J7KI3gwvmVK0DwTm8Ugj2M4AdQmRMfXvg9G76JlxuuHK/wgVG/KjIt1yNgZ22T+OciVCrI79LPCxwp6vJusrpE
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 22 Mar 2016 20:38:18 -0000
Date: Tue, 22 Mar 2016 16:38:18 -0400
Message-ID: <alpine.OSX.2.11.1603221443230.18473@ary.lan>
From: John R Levine <johnl@taugh.com>
To: Wei Chuang <weihaw@google.com>
In-Reply-To: <CAAFsWK3HEXDgqONxBohBCGMKk2qMa230fxcNEaGhoTwQZVYQoQ@mail.gmail.com>
References: <CAAFsWK3HEXDgqONxBohBCGMKk2qMa230fxcNEaGhoTwQZVYQoQ@mail.gmail.com>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/LvpuvAI5mWUloiL62sB0RT5Z3M4>
Cc: PKIX <pkix@ietf.org>, Brian Haberman <brian@innovationslab.net>, IETF SMIME <smime@ietf.org>
Subject: Re: [pkix] Key lookup service via draft-bhjl-x509-srv-00
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 20:38:22 -0000
> I think this draft (draft-bhjl-x509-srv-00 > <https://tools.ietf.org/html/draft-bhjl-x509-srv-00>) very usefully defines > a means to lookup certificates for S/MIME users, and wonder if we could > discuss this. As far as I can tell it hasn't been discussed else where. We offered it to DANE, but it appears that DANE is rapidly winding down so PKIX seems as good a place as any. > I also don't know if there are other similar proposals, and if a comparison > between this and other approaches has been done. This or some other key > lookup service would be very helpful in enabling email message based > encryption/authentication. > The draft proposes a new DNS SRV record that defines a URL to lookup > certificate (both PKIX and PGP) over HTTPS for email. Actually, they're not new, all straight out of RFC 4387. This draft is mostly a profile of 4387, which offers multiple ways to do stuff, choosing one option from each set so it's easier to interoperate. > The draft is pretty complete but some of the description could be > expanded. It doesn't define define behavior when the certificate is > missing or invalid. Presumably some sort of HTTP error code? RFC 4387 says to use normal http error codes. If there's no such certificate that would be the familiar 404 code. I suppose we could say that but I'd prefer not to repeat material from other specs. > What should be the response when the key server is aware that the > certificate has been revoked, and there is no replacement? I'd think it's 404, no cert for you, or maybe 410 Gone. > The set of related things outside the main scope of the draft. A tricky > problem with key lookup has been privacy. The worry is that spammers or > phishers would try to use such a key discovery service to find more > victims. Having been in the mail business for decades, I'm not worried about it. Bad guys already have more addresses than they know what to do with, and there are easier ways to scrape addresses than guessing one address per URL. We've had PGP key servers forever and bad guys don't seem to find them attractive. > Another worry is that the security of this proposal is based on DNSSEC > which is only very slowly being deployed and many clients may not be > able to interoperate with that. Not really. The keys deliberately are *not* automatically authoritative so it's not a privacy crisis if someone inserts a fake server. Clients need to apply local policy to decide whether to trust them, just like you would for keys from traditional PGP key servers or anywhere else. The only thing that depends on DNSSEC for trust is the new option for a domain to publish a S/MIME signing key for its users' keys. Lacking DNSSEC, the traditional CA PKI is still there. R's, John
- [pkix] Key lookup service via draft-bhjl-x509-srv… Wei Chuang
- Re: [pkix] Key lookup service via draft-bhjl-x509… John R Levine
- Re: [pkix] Key lookup service via draft-bhjl-x509… Wei Chuang
- Re: [pkix] Key lookup service via draft-bhjl-x509… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Wei Chuang
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Wei Chuang
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… Wei Chuang
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Michael StJohns
- Re: [pkix] [smime] Key lookup service via draft-b… John Levine