IETF Logo Mail Archive

Re: [pkix] Key lookup service via draft-bhjl-x509-srv-00

"John R Levine" <johnl@taugh.com> Wed, 23 March 2016 18:33 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F16E12D5BF for <pkix@ietfa.amsl.com>; Wed, 23 Mar 2016 11:33:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=ueqIpyNG; dkim=pass (1536-bit key) header.d=taugh.com header.b=NutPI1ad
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yiizJL3ocIWG for <pkix@ietfa.amsl.com>; Wed, 23 Mar 2016 11:33:14 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C157E12D13C for <pkix@ietf.org>; Wed, 23 Mar 2016 11:33:13 -0700 (PDT)
Received: (qmail 45846 invoked from network); 23 Mar 2016 18:33:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=b314.56f2e168.k1603; bh=/m8AjkAFqK36CmUEmnlwFRGMabbxNxm+wpqUtKbGxOk=; b=ueqIpyNGlIBUkqS7v/P4FmFquVVfjo4/MxbrFq3u1TF3XXhGgAKBy1cNuQ0TSk1hulth9G49TcPMi1hS9RzzoR284v+8FcGpXVqDwTWsGRbl31XP/D9wUszSKl9Yxd7FGszQZJHzLvKSagtShdq8mM6BJ0PBHBv25lOaWJxGxRPFZ++g2/4DtpYnVyMCAFwoKyH8dzhbrqDaDbNvSnQ6zi+d3wTCFFRSM7nkvx15vm+XAiaMG6S911OyindM9I6q
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=b314.56f2e168.k1603; bh=/m8AjkAFqK36CmUEmnlwFRGMabbxNxm+wpqUtKbGxOk=; b=NutPI1adN6aSs0QiYrdJoFmBz+qI88e7g2jT1mGyFjo/xba1psNYRBTfqPeNjvgQ0IJEDu2CaOhcGzhEBERfw+cwzJKooRIyQENvavNBEi6mh+eBx8FOB7YQjU5pQu7VM3DL/YAVNj3Qk59oA6N3uolAt+Rnw+CrkdDyyNrStgEHBX5lofomGby6cFVjnvFWeFQaOorcy4Kr9m3IXNEyDMeYT/adZDtmm/Y7J8mz6PBdb2SI0UTaNFtAI0Ubij5f
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 23 Mar 2016 18:33:12 -0000
Date: Wed, 23 Mar 2016 14:33:12 -0400
Message-ID: <alpine.OSX.2.11.1603231431110.4624@ary.lan>
From: John R Levine <johnl@taugh.com>
To: Wei Chuang <weihaw@google.com>
In-Reply-To: <CAAFsWK2Xbw0eU2oz4edtmPH5PhwJgQkTYWKhFruZnCnD37c_CQ@mail.gmail.com>
References: <CAAFsWK3HEXDgqONxBohBCGMKk2qMa230fxcNEaGhoTwQZVYQoQ@mail.gmail.com> <alpine.OSX.2.11.1603221443230.18473@ary.lan> <CAAFsWK2Xbw0eU2oz4edtmPH5PhwJgQkTYWKhFruZnCnD37c_CQ@mail.gmail.com>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/mzyLB1t5pGogu3uQ2BnQ4GpnDlM>
Cc: PKIX <pkix@ietf.org>, Brian Haberman <brian@innovationslab.net>, IETF SMIME <smime@ietf.org>
Subject: Re: [pkix] Key lookup service via draft-bhjl-x509-srv-00
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2016 18:33:16 -0000

> I think the benefits of an authoritative server out weighs the worries that
> you suggest.  In the web world, its been very helpful to be certain what
> one should chain up via browser certificate pinning or HPKP.  A whole host
> of malfeasance was found this way.  Even in the limited use that S/MIME has
> today, in government and defense, its likely to be very useful.

>> The only thing that depends on DNSSEC for trust is the new option for a
>> domain to publish a S/MIME signing key for its users' keys.  Lacking
>> DNSSEC, the traditional CA PKI is still there.

If the WG thinks the domain's key should be authoritative, that'd be fine 
with me.  We didn't want to make any unilateral changes to the trust model 
without it being clear that it's a change and that there's consensus 
behind it.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

v2.23.0 | Report a Bug | By Email