Re: [pkix] [smime] Key lookup service via draft-bhjl-x509-srv-00
"Miller, Timothy J." <tmiller@mitre.org> Thu, 24 March 2016 14:02 UTC
Return-Path: <tmiller@mitre.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DD3412D8B2; Thu, 24 Mar 2016 07:02:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_FILL_THIS_FORM_SHORT=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7u-YVmpX1ru0; Thu, 24 Mar 2016 07:02:16 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id E6C5512DBDE; Thu, 24 Mar 2016 06:58:08 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 3E1806C0C17; Thu, 24 Mar 2016 09:58:08 -0400 (EDT)
Received: from imshyb02.MITRE.ORG (imshyb02.mitre.org [129.83.29.3]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id 2D2016C084F; Thu, 24 Mar 2016 09:58:08 -0400 (EDT)
Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb02.MITRE.ORG (129.83.29.3) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Thu, 24 Mar 2016 09:58:07 -0400
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1130.7 via Frontend Transport; Thu, 24 Mar 2016 09:58:07 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.onmicrosoft.com; s=selector1-mitre-org; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=eQGLbxBW160eomvRiGQjPHpUbCwvsA55K5saHp4/Ypw=; b=eELGGgGkLJPVSo7ET7jcBYH5s17QssxXSt1IGMljQRXFYU/FGHRKTeCLZZjDZTTCGCeOtplgjPNz19srR/Pd4fZ2mFRdyaCn9r8X5yWeiAiP89BZJCSIxSd6GkAGvKJFJQtWNqzjMgaxFtEk7GtoDABB4Wkw9T0w1TgRBMAG7bw=
Received: from BY1PR09MB0920.namprd09.prod.outlook.com (10.162.144.157) by BY1PR09MB0917.namprd09.prod.outlook.com (10.162.144.154) with Microsoft SMTP Server (TLS) id 15.1.434.16; Thu, 24 Mar 2016 13:58:06 +0000
Received: from BY1PR09MB0920.namprd09.prod.outlook.com ([10.162.144.157]) by BY1PR09MB0920.namprd09.prod.outlook.com ([10.162.144.157]) with mapi id 15.01.0434.019; Thu, 24 Mar 2016 13:58:06 +0000
From: "Miller, Timothy J." <tmiller@mitre.org>
To: Wei Chuang <weihaw@google.com>
Thread-Topic: [smime] Key lookup service via draft-bhjl-x509-srv-00
Thread-Index: AQHRhTGmh22EPby4TE+kk5RKeaJMBp9nWoUA///EeQCAAGy0AIAA+HcQgAAVVACAAAJ1AA==
Date: Thu, 24 Mar 2016 13:58:06 +0000
Message-ID: <BY1PR09MB092031EBA4778C536949928DAE820@BY1PR09MB0920.namprd09.prod.outlook.com>
References: <CAAFsWK3HEXDgqONxBohBCGMKk2qMa230fxcNEaGhoTwQZVYQoQ@mail.gmail.com> <alpine.OSX.2.11.1603221443230.18473@ary.lan> <CAAFsWK2Xbw0eU2oz4edtmPH5PhwJgQkTYWKhFruZnCnD37c_CQ@mail.gmail.com> <alpine.OSX.2.11.1603231431110.4624@ary.lan> <FB501B0B-999D-45E4-A739-4D561A25275B@mitre.org> <CAAFsWK1p-_HNYwM1B-p8MMo58u2hURW45ytKr_1f3h+XKDS5wA@mail.gmail.com> <BY1PR09MB09201BC92CD9FD1E76703D7FAE820@BY1PR09MB0920.namprd09.prod.outlook.com> <CAAFsWK3KS9HnNpQdkdY7skBhMaGz9h1rbXTCZn6Nj-+TdNPu1w@mail.gmail.com>
In-Reply-To: <CAAFsWK3KS9HnNpQdkdY7skBhMaGz9h1rbXTCZn6Nj-+TdNPu1w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=mitre.org;
x-originating-ip: [192.160.51.86]
x-ms-office365-filtering-correlation-id: b88d9a24-43c0-4ae8-838a-08d353ec5397
x-microsoft-exchange-diagnostics: 1; BY1PR09MB0917; 5:iIo3kI5fjoWnC6qvPQ3+gd/OtASjLtKZcw6H3upZgW/7RCJEeZxX+IZAdXts2niVz4pWLVxXF9q9y0/5raqdP7Kb7es9YE55kfv1Va3QaK7cgG6Bgk3PDKbr6qGDHu9OKcHA4fLUx7zVwBYI1RFy5A==; 24:9ugFXLsHooW5On9L1zmjSw9cw8zrBA+pX1My+MttBiXCOtiMJnTEy6KBwFpGuD9F+2W23DlVb8GAhsP13XM6u+lTAoEY9RroykBue+SrCi0=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR09MB0917;
x-microsoft-antispam-prvs: <BY1PR09MB0917E65CD58FE64A46FB3AB7AE820@BY1PR09MB0917.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046); SRVR:BY1PR09MB0917; BCL:0; PCL:0; RULEID:; SRVR:BY1PR09MB0917;
x-forefront-prvs: 0891BC3F3D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(102836003)(1096002)(3846002)(74316001)(5004730100002)(110136002)(6116002)(1220700001)(76176999)(81166005)(33656002)(5003600100002)(586003)(92566002)(87936001)(189998001)(54356999)(3660700001)(4326007)(50986999)(2906002)(5008740100001)(5002640100001)(2950100001)(3280700002)(106116001)(11100500001)(66066001)(2900100001)(76576001)(230783001)(10400500002)(122556002)(99286002)(77096005)(86362001)(93886004); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR09MB0917; H:BY1PR09MB0920.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Mar 2016 13:58:06.8103 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR09MB0917
X-OriginatorOrg: mitre.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/wOt-WAKBv7QXOTYDdO_ZE0Q388g>
Cc: PKIX <pkix@ietf.org>, Brian Haberman <brian@innovationslab.net>, John R Levine <johnl@taugh.com>, IETF SMIME <smime@ietf.org>
Subject: Re: [pkix] [smime] Key lookup service via draft-bhjl-x509-srv-00
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2016 14:02:18 -0000
> * Keep private the initial conversation Peter's (I think it's his, at least he's the first person I heard it from) GETSMIME concept achieves the same result. Personally I prefer keeping discovery as a metaprotocol so only the MUA needs to implement it independent of MTAs, recognizing that this trades off against user convenience when the receiver is intermittently connected. The plus is that the MUA *always* has the current key, whereas all repositories get out of date quickly. We have extensive experience with this in the DoD--expired userSMIMECertificate attributes in the Exchange GAL (effectively an LDAP directory) are a constant problem. Keeping userCertificate attributes sync'd with the CA publication directory is also a royal PITA. Reduce the moving parts and the system will be more robust. Direct client-to-client key discovery will be more accurate, more easily deployed, and can be semi or fully automated. > * Certificate renewal upon expiry or similarly when revoked No. Renewal is security sensitive, so automation is really not a great idea. In certain niches--e.g., non-person autorenewal within an enterprise authentication domain like Active Directory--it's acceptable, but for persons I would recommend against it. Revocation--in the commercial world and consumer PKI use case, anyway--is rare enough to just ignore. Key continuity is a safer approach. > * Describe the allowed trust anchor (for verification which shouldn't be all > the time) Why does the *cert repository* get to say who my CA is? > * Potentially handle email address name variants e.g. subaddressing, > capitalization Too hard a problem to address external to the mail system, as we've seen. OTOH, direct client-to-client discovery doesn't have this problem *at all*. -- T
- [pkix] Key lookup service via draft-bhjl-x509-srv… Wei Chuang
- Re: [pkix] Key lookup service via draft-bhjl-x509… John R Levine
- Re: [pkix] Key lookup service via draft-bhjl-x509… Wei Chuang
- Re: [pkix] Key lookup service via draft-bhjl-x509… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Wei Chuang
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Wei Chuang
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… Wei Chuang
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Miller, Timothy J.
- Re: [pkix] [smime] Key lookup service via draft-b… John R Levine
- Re: [pkix] [smime] Key lookup service via draft-b… Michael StJohns
- Re: [pkix] [smime] Key lookup service via draft-b… John Levine