From paul.hoffman@vpnc.org Tue Sep 4 08:07:29 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB9D521F8532 for ; Tue, 4 Sep 2012 08:07:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YkMUNDMuSqhD for ; Tue, 4 Sep 2012 08:07:29 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 4FFA821F84A0 for ; Tue, 4 Sep 2012 08:07:28 -0700 (PDT) Received: from [10.20.30.108] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q84F7QrF086604 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Tue, 4 Sep 2012 08:07:27 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) From: Paul Hoffman Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Message-Id: <403225CD-5DE7-4D49-9B75-C74C11EA5B63@vpnc.org> Date: Tue, 4 Sep 2012 08:07:29 -0700 To: IETF DANE WG list Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) X-Mailer: Apple Mail (2.1486) Subject: [dane] How should draft-hoffman-dane-smime be written? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 15:07:30 -0000 Greetings again. As those of you who were at the IETF meeting in = Vancouver (or those who read the minutes at = http://www.ietf.org/proceedings/84/minutes/minutes-84-dane) know, Jakob = and I are unsure about how the WG might want our draft to look. The = current version of the draft expires in a few days, so we have an = opportunity to make major changes now. =46rom our presentation: What should be in the doc? 1. Copy whole DANE-for-TLS RFC and make needed changes 2. Copy structure of DANE-for-TLS RFC and point to it but don=92t copy = much 3. Say =93we assume you read and understood DANE-for-TLS, and here are = the relevant differences=94 If the WG can come to rough consensus in the next few days, we'll try to = get the changes in before the doc expires; otherwise, we'll do an = uninteresting bump draft and make the content changes later. --Paul hoffman= From rbarnes@bbn.com Tue Sep 4 08:27:43 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D233B21F848F for ; Tue, 4 Sep 2012 08:27:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kqmLcuud-8No for ; Tue, 4 Sep 2012 08:27:43 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 29CAB21F8487 for ; Tue, 4 Sep 2012 08:27:43 -0700 (PDT) Received: from ros-dhcp192-1-51-103.bbn.com ([192.1.51.103]:57234) by smtp.bbn.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1T8v2P-000O2Y-PR; Tue, 04 Sep 2012 11:27:37 -0400 Mime-Version: 1.0 (Apple Message framework v1278) Content-Type: text/plain; charset=windows-1252 From: Richard Barnes In-Reply-To: <403225CD-5DE7-4D49-9B75-C74C11EA5B63@vpnc.org> Date: Tue, 4 Sep 2012 11:27:37 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: References: <403225CD-5DE7-4D49-9B75-C74C11EA5B63@vpnc.org> To: Paul Hoffman X-Mailer: Apple Mail (2.1278) Cc: IETF DANE WG list Subject: Re: [dane] How should draft-hoffman-dane-smime be written? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 15:27:43 -0000 Mostly 3. The main difference is how TLSA records are located, right? Something = like "lhs._at.rhs" instead of "_port._proto.name". The validation rules = are PKIX-based, not TLS-based, so they can be re-used for S/MIME.=20 So it seems like the S/MIME draft should just say something like: 1. Here's how you find a TLSA record for an email address (replaces = Section 3 of RFC 6698) 2. Everything else is the same as in RFC 6698. On Sep 4, 2012, at 11:07 AM, Paul Hoffman wrote: > Greetings again. As those of you who were at the IETF meeting in = Vancouver (or those who read the minutes at = http://www.ietf.org/proceedings/84/minutes/minutes-84-dane) know, Jakob = and I are unsure about how the WG might want our draft to look. The = current version of the draft expires in a few days, so we have an = opportunity to make major changes now. >=20 > =46rom our presentation: > What should be in the doc? > 1. Copy whole DANE-for-TLS RFC and make needed changes > 2. Copy structure of DANE-for-TLS RFC and point to it but don=92t = copy much > 3. Say =93we assume you read and understood DANE-for-TLS, and here = are the relevant differences=94 >=20 > If the WG can come to rough consensus in the next few days, we'll try = to get the changes in before the doc expires; otherwise, we'll do an = uninteresting bump draft and make the content changes later. >=20 > --Paul hoffman > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane From ietf@augustcellars.com Tue Sep 4 09:22:38 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE4C421F84A0 for ; Tue, 4 Sep 2012 09:22:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1PhQ36sxaIVe for ; Tue, 4 Sep 2012 09:22:37 -0700 (PDT) Received: from smtp2.pacifier.net (smtp2.pacifier.net [64.255.237.172]) by ietfa.amsl.com (Postfix) with ESMTP id E915621F849C for ; Tue, 4 Sep 2012 09:22:35 -0700 (PDT) Received: from Tobias (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp2.pacifier.net (Postfix) with ESMTPSA id 872432CA13; Tue, 4 Sep 2012 09:22:35 -0700 (PDT) From: "Jim Schaad" To: "'Richard Barnes'" , "'Paul Hoffman'" References: <403225CD-5DE7-4D49-9B75-C74C11EA5B63@vpnc.org> In-Reply-To: Date: Tue, 4 Sep 2012 09:21:10 -0700 Message-ID: <01c301cd8ab9$4c2db860$e4892920$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQLAe29Kr4M9Kh42U9pQcHztmqOhzwGaNXOKlYepzgA= Content-Language: en-us Cc: 'IETF DANE WG list' Subject: Re: [dane] How should draft-hoffman-dane-smime be written? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 16:22:38 -0000 I would like to see selection 2 use. I would not copy any of the internal structure of DANE records - just point. But I am not sure at this point that much of the rest of the document is going to be the same. If it is, then it can be eliminated later. Jim > -----Original Message----- > From: dane-bounces@ietf.org [mailto:dane-bounces@ietf.org] On Behalf Of > Richard Barnes > Sent: Tuesday, September 04, 2012 8:28 AM > To: Paul Hoffman > Cc: IETF DANE WG list > Subject: Re: [dane] How should draft-hoffman-dane-smime be written? > > Mostly 3. > > The main difference is how TLSA records are located, right? Something like > "lhs._at.rhs" instead of "_port._proto.name". The validation rules are PKIX- > based, not TLS-based, so they can be re-used for S/MIME. > > So it seems like the S/MIME draft should just say something like: > 1. Here's how you find a TLSA record for an email address (replaces Section 3 > of RFC 6698) 2. Everything else is the same as in RFC 6698. > > > > > On Sep 4, 2012, at 11:07 AM, Paul Hoffman wrote: > > > Greetings again. As those of you who were at the IETF meeting in > Vancouver (or those who read the minutes at > http://www.ietf.org/proceedings/84/minutes/minutes-84-dane) know, > Jakob and I are unsure about how the WG might want our draft to look. The > current version of the draft expires in a few days, so we have an opportunity > to make major changes now. > > > > From our presentation: > > What should be in the doc? > > 1. Copy whole DANE-for-TLS RFC and make needed changes 2. Copy > > structure of DANE-for-TLS RFC and point to it but don't copy much 3. > > Say "we assume you read and understood DANE-for-TLS, and here are the > relevant differences" > > > > If the WG can come to rough consensus in the next few days, we'll try to > get the changes in before the doc expires; otherwise, we'll do an > uninteresting bump draft and make the content changes later. > > > > --Paul hoffman > > _______________________________________________ > > dane mailing list > > dane@ietf.org > > https://www.ietf.org/mailman/listinfo/dane > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane From cloos@jhcloos.com Tue Sep 4 16:19:27 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABFC421E8092 for ; Tue, 4 Sep 2012 16:19:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I+XPYe0Fdlqj for ; Tue, 4 Sep 2012 16:19:27 -0700 (PDT) Received: from eagle.jhcloos.com (eagle.jhcloos.com [IPv6:2001:1938:12d::53]) by ietfa.amsl.com (Postfix) with ESMTP id EA15721E8082 for ; Tue, 4 Sep 2012 16:19:26 -0700 (PDT) Received: by eagle.jhcloos.com (Postfix, from userid 10) id C44BD40565; Tue, 4 Sep 2012 23:19:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=eagle; t=1346800765; bh=I4OUyyhFsk7qq5gAkADyi/nXJvGpLptQCKO8HMzOuKU=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type:Content-Transfer-Encoding; b=X/8ZE6ZSxMoKkFQO0apAmVJ1b7/MELdxfk5t6TJvFrbtV9d/qHzuWMqTwmcdT/kDS Lr/iYY8CknlIbyyHSmMwNktNqSH5BNN0eUD54kBan56gyzcvyZag9tqvUESjJmjhXE PSnuf4bieS2kiVMjcAegvdY85CWdr51lM15PMmOc= Received: by carbon.jhcloos.org (Postfix, from userid 500) id ACBF336004C; Tue, 4 Sep 2012 23:13:23 +0000 (UTC) From: James Cloos To: IETF DANE WG list In-Reply-To: <403225CD-5DE7-4D49-9B75-C74C11EA5B63@vpnc.org> (Paul Hoffman's message of "Tue, 4 Sep 2012 08:07:29 -0700") References: <403225CD-5DE7-4D49-9B75-C74C11EA5B63@vpnc.org> User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.2.50 (gnu/linux) Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAgMAAABinRfyAAAACVBMVEX///8ZGXBQKKnCrDQ3 AAAAJElEQVQImWNgQAAXzwQg4SKASgAlXIEEiwsSIYBEcLaAtMEAADJnB+kKcKioAAAAAElFTkSu QmCC Copyright: Copyright 2012 James Cloos OpenPGP: ED7DAEA6; url=http://jhcloos.com/public_key/0xED7DAEA6.asc OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Date: Tue, 04 Sep 2012 19:13:23 -0400 Message-ID: Lines: 16 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Hashcash: 1:30:120904:dane@ietf.org::5cnlOwklqedijDpB:000gOd/I X-Hashcash: 1:30:120904:paul.hoffman@vpnc.org::SKFqtgWGA6juaNjs:000000000000000000000000000000000000000Q0HxU Cc: Paul Hoffman Subject: Re: [dane] How should draft-hoffman-dane-smime be written? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2012 23:19:27 -0000 >>>>> "PH" == Paul Hoffman writes: PH> From our presentation: PH> What should be in the doc? PH> 1. Copy whole DANE-for-TLS RFC and make needed changes PH> 2. Copy structure of DANE-for-TLS RFC and point to it but don’t copy much PH> 3. Say “we assume you read and understood DANE-for-TLS, and here are the relevant differences” I'm leaning about 129/127 in favour of 3 over 2. (Or should that be for 11 over 10? :) But please do not choose option 1! -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 From mamille2@cisco.com Tue Sep 4 18:46:43 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B9BD11E808D for ; Tue, 4 Sep 2012 18:46:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uor7McAi3YoN for ; Tue, 4 Sep 2012 18:46:42 -0700 (PDT) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id B108721F853E for ; Tue, 4 Sep 2012 18:46:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=mamille2@cisco.com; l=5439; q=dns/txt; s=iport; t=1346809602; x=1348019202; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=/j14HDjrYzlWyJjVxiQ8pM9SGKPeQ7l5LUVO2yR/XbM=; b=F/yeuIydBqRPuX9QjRK/XJoj7DtoFeNnK2XA7HX/qqOtJ2dTffRZO/+z yVvFYGhwwtR9UNxMJeMF8uKrF1sn2CoIWO+PppyJwpUePTmCyxSQkH+/w Q7Q8rr0zfxhAGfEmc0qB8eQ765S9TjKXOtrgsKeQG4tCB9G1/0iCI0siu c=; X-Files: smime.p7s, PGP.sig : 2214, 535 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av4EAMeuRlCtJV2Z/2dsb2JhbABFuySBB4IgAQEBAwESAWYFCwIBCEYCMCUCBA4FCQUUh2UGC5p/oC+LCYZSYAOOYoEghVeOM4FngmM X-IronPort-AV: E=Sophos;i="4.80,371,1344211200"; d="sig'?p7s'?scan'208";a="118310475" Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-7.cisco.com with ESMTP; 05 Sep 2012 01:46:42 +0000 Received: from xhc-aln-x11.cisco.com (xhc-aln-x11.cisco.com [173.36.12.85]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id q851kgcY030198 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 5 Sep 2012 01:46:42 GMT Received: from xmb-aln-x11.cisco.com ([169.254.6.219]) by xhc-aln-x11.cisco.com ([173.36.12.85]) with mapi id 14.02.0298.004; Tue, 4 Sep 2012 20:46:41 -0500 From: "Matt Miller (mamille2)" To: Paul Hoffman Thread-Topic: [dane] How should draft-hoffman-dane-smime be written? Thread-Index: AQHNiq8E/b6YoLu/oUyfvSDYqP+Xg5d7TwkA Date: Wed, 5 Sep 2012 01:46:41 +0000 Message-ID: <7C427365-7B94-412B-8AF6-DF77F9AF7C68@cisco.com> References: <403225CD-5DE7-4D49-9B75-C74C11EA5B63@vpnc.org> In-Reply-To: <403225CD-5DE7-4D49-9B75-C74C11EA5B63@vpnc.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-pgp-agent: GPGMail 1.3.3 x-originating-ip: [10.21.144.150] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19162.001 x-tm-as-result: No--27.576300-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-15--864787184" MIME-Version: 1.0 Cc: IETF DANE WG list Subject: Re: [dane] How should draft-hoffman-dane-smime be written? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 01:46:43 -0000 --Apple-Mail-15--864787184 Content-Type: multipart/signed; boundary=Apple-Mail-14--864787193; protocol="application/pkcs7-signature"; micalg=sha1 --Apple-Mail-14--864787193 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 On Sep 4, 2012, at 09:07, Paul Hoffman wrote: > Greetings again. As those of you who were at the IETF meeting in = Vancouver (or those who read the minutes at = http://www.ietf.org/proceedings/84/minutes/minutes-84-dane) know, Jakob = and I are unsure about how the WG might want our draft to look. The = current version of the draft expires in a few days, so we have an = opportunity to make major changes now. >=20 > =46rom our presentation: > What should be in the doc? > 1. Copy whole DANE-for-TLS RFC and make needed changes > 2. Copy structure of DANE-for-TLS RFC and point to it but don=92t = copy much > 3. Say =93we assume you read and understood DANE-for-TLS, and here = are the relevant differences=94 >=20 > If the WG can come to rough consensus in the next few days, we'll try = to get the changes in before the doc expires; otherwise, we'll do an = uninteresting bump draft and make the content changes later. I would prefer (3), but would accept consensus around (2). - m&m Matt Miller - Cisco Systems, Inc. --Apple-Mail-14--864787193 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFNTCCBTEw ggMZoAMCAQICAwmYMjANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMDEyMTQxNzQ3MTlaFw0x MjEyMTMxNzQ3MTlaMDwxFzAVBgNVBAMTDk1hdHRoZXcgTWlsbGVyMSEwHwYJKoZIhvcNAQkBFhJt YW1pbGxlMkBjaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7Sh5cQYtd /kfoG3KjXd8i2esxt+BtHCmuiSku2VECC6msLKzA08cGJ31GfyX7+996TV3D5omh51j5fznfFikk cVGsuKe+omo70Aidw48ISGygQk8ZJrU8JVVfTjKVJRX39wgj8w8CI/BCz4kXLirIBWKTv1ARuqsO 7I1aqT7pWHAwlAKIbYYEwfz46OjyzmqknglOecy/1PR09nXwAAIepSo0Jk9edqsU8Pdqsbx8cPUV jlFtVkk+58ORjefl+4BoGrzW24rGG2B04sNPrycNqZEaJLmdk5J9ie/FMV10H8wFW8syomuacPxv NhoUgNnkYsJiO7zJEKUUmbmW1GPFAgMBAAGjgf4wgfswDAYDVR0TAQH/BAIwADBWBglghkgBhvhC AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQgb3ZlciB0byBo dHRwOi8vd3d3LkNBY2VydC5vcmcwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEE AYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB hhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMB0GA1UdEQQWMBSBEm1hbWlsbGUyQGNpc2NvLmNvbTAN BgkqhkiG9w0BAQUFAAOCAgEAoa/WVlTWG/rbVIFlG1tCdJrbVvIWNfUNSgojunKsoaVGCoIh7T1+ SgWe8sV+r7s5bVlq66iGxTm/qoKMHM9i4aNGlwWDkXqLHoCKbY4qKPGKnn7PaoA6DWQ5u7ZKBkn9 N2fY8iLxiAy/hLnjtRLlbSr2yBX0DbO1K0ORLDwfO2MUf1j2Cou+qVvEmyEe7cUq37iOOsNbtghT xjn+RE7WJiHcR9deAkfI1xXi7UZcFME+k6nhdnX/qWFFLox0fJJCzX1H8DTzRIjA+ciNLWSG+TRx s7fAn+YZisJdkGxMcWlHZxSu+ybPjc9T7zCyf4+yFHigdOMNxiQ2k/E9WTJ84xIis2TG3E9Nba9B PMb6cgjiqGxiFpKKHj9/5A3wDIHZ8dof+M7YFGnHzwF9i72ZEoaO3hMEhAg9LhqGtQtEZohbTZL2 FOeT+8VjUHSOKhEYurQjWrHDj+ZyDjzhOE/KMwqSWokZhoy0s+VQ05BrVlbXd5DJaB/Hem0MdDUc /6IjqtI6f8O/HLQFAVUQgtW50bfCjDOAB/SaEKzygblcAHxSKDbduRQaRst6cIHEy4eQxvxrHIhg b2KWZ00jS+7NUnAMOyzIJTcZfV5mkCb8UjMHq9NSChwpBFuDzpXxjU20xJGDvbVWNDwfbITCczph p4uuhLITzvhHKaUNwxoqx0oxggMzMIIDLwIBATCBgDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYD VQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRo b3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZwIDCZgyMAkGBSsOAwIaBQCg ggGHMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEyMDkwNTAxNDY0 MFowIwYJKoZIhvcNAQkEMRYEFDz4O92pm2Fwv5WjrvQ/xEzt4K6dMIGRBgkrBgEEAYI3EAQxgYMw gYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIw IAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0 QGNhY2VydC5vcmcCAwmYMjCBkwYLKoZIhvcNAQkQAgsxgYOggYAweTEQMA4GA1UEChMHUm9vdCBD QTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25p bmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAwmYMjANBgkq hkiG9w0BAQEFAASCAQAGlORYaBnGo/tuwUwUojC68J73K+njfAlV/aqMAJ2zYFcol24NMY+LZniM i/mevkWhfB/m5a0ThcntOteHfEduts9a1T1bEaRjcdKJK91DKyI1T0/vtAvWNdbXWDxHPY9t7J+j BHRz0Xfj3JBD7ZPlFDEhNlTn/hOZApX4d8lWqJgowwAgaZd521SVlKDcdty0oXButJkkg6l2Uwt9 j6u+p1hF91i5e4NxYelyibLjhr0Bc1tW4p5dP6QWFD0N/9ApyaWo9170jlqQqqSfz6vTCARNaK1b SUqo3TS9lKNuQ3c/6gUb01wGnksMK4Mf67Rk4zVrdfUdSnIA4xlCYnHhAAAAAAAA --Apple-Mail-14--864787193-- --Apple-Mail-15--864787184 Content-Type: application/pgp-signature; x-mac-type=70674453; name="PGP.sig" Content-Description: This is a digitally signed message part Content-Disposition: inline; filename="PGP.sig" Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJQRq8AAAoJEJq6Ou0cgrSP1hYH/1kKjquDiNz8qN5CTOC4GqvI I9QJVLMJ08oGnxgpl6KdB7p77FfgttuLms1AxjGTFTzyTcvySwjtfVloA9K8RUHX 4UoeEiVQheEg5cAu9TMBlnfofXukX5P4QpA4sqF0Ketqk4wntJnrwsW254YUTWQm pJhFWO1j2oBDzeUD3jfuLTOkrDsBum7ILuQLe7Sd9WC60xU0LdpEPxcVQ8soqZNW oTO5WJ8m/Ki2CBbGAcB1RVIu2QfBiX6X3nZeTBen9Le2dxz2SxD1Jpi6c3A1+zur 0xU+Fj/rm0xWer0eVxPOh9S+5CV1bSEhHeBnsXiv055YyALl6URgrLTzbrk7ji8= =9iZh -----END PGP SIGNATURE----- --Apple-Mail-15--864787184-- From miekg@atoom.net Wed Sep 5 02:37:29 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 531D821F844D for ; Wed, 5 Sep 2012 02:37:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HNAC6nUSW8Kl for ; Wed, 5 Sep 2012 02:37:28 -0700 (PDT) Received: from elektron.atoom.net (elektron.atoom.net [85.223.71.124]) by ietfa.amsl.com (Postfix) with ESMTP id BFFAC21F84B6 for ; Wed, 5 Sep 2012 02:37:28 -0700 (PDT) Received: by elektron.atoom.net (Postfix, from userid 1000) id 77BF73FF6F; Wed, 5 Sep 2012 11:37:26 +0200 (CEST) Date: Wed, 5 Sep 2012 11:37:26 +0200 From: Miek Gieben To: dane@ietf.org Message-ID: <20120905093726.GE21737@miek.nl> Mail-Followup-To: dane@ietf.org References: <403225CD-5DE7-4D49-9B75-C74C11EA5B63@vpnc.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZRyEpB+iJ+qUx0kp" Content-Disposition: inline In-Reply-To: User-Agent: Vim/Mutt/Linux X-Home: http://www.miek.nl Subject: Re: [dane] How should draft-hoffman-dane-smime be written? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 09:37:29 -0000 --ZRyEpB+iJ+qUx0kp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [ Quoting in "Re: [dane] How should draft-hoffman..." ] > Mostly 3. >=20 > The main difference is how TLSA records are located, right? Something li= ke "lhs._at.rhs" instead of "_port._proto.name". The validation rules are = PKIX-based, not TLS-based, so they can be re-used for S/MIME.=20 >=20 > So it seems like the S/MIME draft should just say something like: > 1. Here's how you find a TLSA record for an email address (replaces Secti= on 3 of RFC 6698) > 2. Everything else is the same as in RFC 6698. I'm in favor for that too. Keep it nice and short. grtz Miek --ZRyEpB+iJ+qUx0kp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlBHHVYACgkQJYuFzziA0PaknACfS7BDh6qFCi7Fd+2VTAK3VjXG XLoAoJQ0gVSLFKFCjpSCNB1eZ94UaERn =Qy5b -----END PGP SIGNATURE----- --ZRyEpB+iJ+qUx0kp-- From paul@cypherpunks.ca Wed Sep 5 16:46:56 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB04521F8578 for ; Wed, 5 Sep 2012 16:46:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eNlzsZq3e8Pg for ; Wed, 5 Sep 2012 16:46:56 -0700 (PDT) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 619B321F856D for ; Wed, 5 Sep 2012 16:46:56 -0700 (PDT) Received: by bofh.nohats.ca (Postfix, from userid 500) id 09328804BF; Wed, 5 Sep 2012 19:46:05 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id F01FF80399; Wed, 5 Sep 2012 19:46:05 -0400 (EDT) Date: Wed, 5 Sep 2012 19:46:05 -0400 (EDT) From: Paul Wouters X-X-Sender: paul@bofh.nohats.ca To: Paul Hoffman In-Reply-To: <403225CD-5DE7-4D49-9B75-C74C11EA5B63@vpnc.org> Message-ID: References: <403225CD-5DE7-4D49-9B75-C74C11EA5B63@vpnc.org> User-Agent: Alpine 2.02 (LFD 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=UTF-8 Content-Transfer-Encoding: 8BIT Cc: IETF DANE WG list Subject: Re: [dane] How should draft-hoffman-dane-smime be written? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2012 23:46:56 -0000 On Tue, 4 Sep 2012, Paul Hoffman wrote: > What should be in the doc? > 1. Copy whole DANE-for-TLS RFC and make needed changes > 2. Copy structure of DANE-for-TLS RFC and point to it but don’t copy much > 3. Say “we assume you read and understood DANE-for-TLS, and here are the relevant differences” 3 preferred, 2 okay. Paul From ogud@ogud.com Thu Sep 6 06:35:08 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF4E521F8594 for ; Thu, 6 Sep 2012 06:35:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.599 X-Spam-Level: X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d6t8ITA55QbP for ; Thu, 6 Sep 2012 06:35:08 -0700 (PDT) Received: from smtp114.iad.emailsrvr.com (smtp114.iad.emailsrvr.com [207.97.245.114]) by ietfa.amsl.com (Postfix) with ESMTP id 5600621F8587 for ; Thu, 6 Sep 2012 06:35:07 -0700 (PDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp51.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 3EE1A201F4; Thu, 6 Sep 2012 09:35:07 -0400 (EDT) X-Virus-Scanned: OK Received: by smtp51.relay.iad1a.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id 283382035E; Thu, 6 Sep 2012 09:35:06 -0400 (EDT) Message-ID: <5048A688.6080802@ogud.com> Date: Thu, 06 Sep 2012 09:35:04 -0400 From: Olafur Gudmundsson User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: Paul Wouters References: <403225CD-5DE7-4D49-9B75-C74C11EA5B63@vpnc.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: Paul Hoffman , IETF DANE WG list Subject: Re: [dane] How should draft-hoffman-dane-smime be written? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2012 13:35:08 -0000 On 05/09/2012 19:46, Paul Wouters wrote: > On Tue, 4 Sep 2012, Paul Hoffman wrote: > >> What should be in the doc? >> 1. Copy whole DANE-for-TLS RFC and make needed changes >> 2. Copy structure of DANE-for-TLS RFC and point to it but don’t copy >> much >> 3. Say “we assume you read and understood DANE-for-TLS, and here are >> the relevant differences” > > 3 preferred, 2 okay. > +1 Olafur From wes@hardakers.net Fri Sep 7 14:44:06 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9C4121F85B1 for ; Fri, 7 Sep 2012 14:44:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YwZaOgzVzfmi for ; Fri, 7 Sep 2012 14:44:06 -0700 (PDT) Received: from mail.hardakers.net (dawn.hardakers.net [IPv6:2001:470:1f00:187::1]) by ietfa.amsl.com (Postfix) with ESMTP id F3EB521F85AE for ; Fri, 7 Sep 2012 14:44:05 -0700 (PDT) Received: from localhost (wjhw.hardakers.net [IPv6:2001:470:1f00:187:62d8:19ff:fed4:c8b6]) by mail.hardakers.net (Postfix) with ESMTPSA id 89A0B63F; Fri, 7 Sep 2012 14:44:03 -0700 (PDT) From: Wes Hardaker To: Paul Wouters References: <403225CD-5DE7-4D49-9B75-C74C11EA5B63@vpnc.org> Date: Fri, 07 Sep 2012 14:44:03 -0700 In-Reply-To: (Paul Wouters's message of "Wed, 5 Sep 2012 19:46:05 -0400 (EDT)") Message-ID: <0lipbp8q58.fsf@wjh.hardakers.net> User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/23.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Paul Hoffman , IETF DANE WG list Subject: Re: [dane] How should draft-hoffman-dane-smime be written? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Sep 2012 21:44:06 -0000 Paul Wouters writes: >> 2. Copy structure of DANE-for-TLS RFC and point to it but don=E2=80=99t= copy much >> 3. Say =E2=80=9Cwe assume you read and understood DANE-for-TLS, and here >> are the relevant differences=E2=80=9D > > 3 preferred, 2 okay. Ditto. In some ways I worry about this becoming a repeating problem (I think it will) and it would have made more sense to split the TLSA document into logical pieces so you could say things like "go read this and then apply these minor twiddles", and have the 'this' not be another protocol-specific document like it is with TLSA. So, you might think that I'm thinking the right thing to do is=20 4. publish the TLSA document again in a multi-document, split-up fashion so it's more reusable. But I don't think it's worth the work, so 3 is likely better. --=20 Wes Hardaker=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 My Pictures: http://capturedonearth.com/ My Thoughts: http://pontifications.hardakers.net/ From jakob@kirei.se Mon Sep 10 13:15:37 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B56B911E80AD for ; Mon, 10 Sep 2012 13:15:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.698 X-Spam-Level: X-Spam-Status: No, score=-0.698 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_SE=0.35, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b4MJXhv46hBq for ; Mon, 10 Sep 2012 13:15:37 -0700 (PDT) Received: from spg.kirei.se (spg.kirei.se [IPv6:2001:67c:394:15::9]) by ietfa.amsl.com (Postfix) with ESMTP id 93E9411E809C for ; Mon, 10 Sep 2012 13:15:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kirei.se; s=spg20100524; h=received:from:content-type:content-transfer-encoding:subject:date:references: to:message-id:mime-version:x-mailer; bh=U7V23VS4xP0+amwnC35ST7qtLm3wUSa6J2Os6TKNofA=; b=M2WDZ+/UZbv6tjlX41qXilUE6NRF25iPko0NNBIGfYZ9EVmPZ3pzedZIGXNMcNUlDryWcL0BG2GvM CJon2P+FgqXMBj6ZJ+XEdGftRiTAZrW1unZm4noHBul3lkynshswuB2rVaQeC9y5F/ctGisTx0vwUt /6VX8f8TXZqpiNas= Received: from mail.kirei.se (unknown [91.206.174.10]) by spg-relay.kirei.se (Halon Mail Gateway) with ESMTPS for ; Mon, 10 Sep 2012 22:15:18 +0200 (CEST) From: Jakob Schlyter Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Mon, 10 Sep 2012 22:15:16 +0200 References: <20120908161345.32470.87669.idtracker@ietfa.amsl.com> To: IETF DANE WG list Message-Id: <577789DE-4A22-48D3-ACBE-8297B6C1DBCE@kirei.se> Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) X-Mailer: Apple Mail (2.1486) Subject: [dane] FYI: New Version Notification for draft-hoffman-dane-smime-04.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2012 20:15:37 -0000 FYI, we've made a last-minute update to the DANE S/MIME draft based on = the input from the list. If the WG would like to adopt this draft (which we hope it will), we'd = be happy to continue as editors. Chairs: Will the WG meet in Atlanta? Jakob & Paul Begin forwarded message: > From: internet-drafts@ietf.org > Subject: New Version Notification for draft-hoffman-dane-smime-04.txt > Date: 8 september 2012 18:13:45 CEST > To: paul.hoffman@vpnc.org > Cc: jakob@kirei.se >=20 >=20 > A new version of I-D, draft-hoffman-dane-smime-04.txt > has been successfully submitted by Paul Hoffman and posted to the > IETF repository. >=20 > Filename: draft-hoffman-dane-smime > Revision: 04 > Title: Using Secure DNS to Associate Certificates with = Domain Names For S/MIME > Creation date: 2012-09-06 > WG ID: Individual Submission > Number of pages: 6 > URL: = http://www.ietf.org/internet-drafts/draft-hoffman-dane-smime-04.txt > Status: = http://datatracker.ietf.org/doc/draft-hoffman-dane-smime > Htmlized: = http://tools.ietf.org/html/draft-hoffman-dane-smime-04 > Diff: = http://www.ietf.org/rfcdiff?url2=3Ddraft-hoffman-dane-smime-04 >=20 > Abstract: > This document describes how to use secure DNS to associate an S/MIME > user's certificate with the intended domain name, similar to the way > that DANE (RFC 6698) does for TLS. >=20 >=20 >=20 >=20 > The IETF Secretariat >=20 --=20 Jakob Schlyter Kirei AB - http://www.kirei.se/ From cloos@jhcloos.com Mon Sep 10 15:37:24 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AFF721F8702 for ; Mon, 10 Sep 2012 15:37:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.86 X-Spam-Level: X-Spam-Status: No, score=-1.86 tagged_above=-999 required=5 tests=[AWL=0.740, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KQxDhwz5v9Ds for ; Mon, 10 Sep 2012 15:37:24 -0700 (PDT) Received: from eagle.jhcloos.com (eagle.jhcloos.com [207.210.242.212]) by ietfa.amsl.com (Postfix) with ESMTP id EA27921F8711 for ; Mon, 10 Sep 2012 15:37:23 -0700 (PDT) Received: by eagle.jhcloos.com (Postfix, from userid 10) id 51CA440565; Mon, 10 Sep 2012 22:36:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=eagle; t=1347316643; bh=wgfbycYYnC1DFy/HBoBna1KGzvCcZsv9VY7O1h3hcPk=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=BWiwx6f0I9IMGzG40zgO4xbcZZIIH4zgLdzfYlpdX5ftskKfs/MiAuQRGYkhsARVb E/xrvn0/3bOb9A/Aaqvihj2eSQtZ1tupXaxWIumwyMQxQVscxbYWJEF1UMDJ6P9TdB kTRiFJIACIITmzqvoZoGYAvCZMswW0S8KBNIYkPM= Received: by carbon.jhcloos.org (Postfix, from userid 500) id CBA9A40056; Mon, 10 Sep 2012 22:22:30 +0000 (UTC) From: James Cloos To: IETF DANE WG list In-Reply-To: <577789DE-4A22-48D3-ACBE-8297B6C1DBCE@kirei.se> (Jakob Schlyter's message of "Mon, 10 Sep 2012 22:15:16 +0200") References: <20120908161345.32470.87669.idtracker@ietfa.amsl.com> <577789DE-4A22-48D3-ACBE-8297B6C1DBCE@kirei.se> User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.2.50 (gnu/linux) Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAgMAAABinRfyAAAACVBMVEX///8ZGXBQKKnCrDQ3 AAAAJElEQVQImWNgQAAXzwQg4SKASgAlXIEEiwsSIYBEcLaAtMEAADJnB+kKcKioAAAAAElFTkSu QmCC Copyright: Copyright 2012 James Cloos OpenPGP: ED7DAEA6; url=http://jhcloos.com/public_key/0xED7DAEA6.asc OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Date: Mon, 10 Sep 2012 18:22:30 -0400 Message-ID: Lines: 32 MIME-Version: 1.0 Content-Type: text/plain X-Hashcash: 1:30:120910:dane@ietf.org::M/19w6sckJuJsIHV:00050yt/ X-Hashcash: 1:30:120910:jakob@kirei.se::dqwsCkbyFWIOn+6U:00FJYLf X-Hashcash: 1:30:120910:paul.hoffman@vpnc.org::XNd68XvEONil2nPy:0000000000000000000000000000000000000002ZeXI Cc: Paul Hoffman Subject: Re: [dane] FYI: New Version Notification for draft-hoffman-dane-smime-04.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2012 22:37:24 -0000 +1 on adopting. As for the draft, do we really need a new RR? If the content is the same as TLSA, just with a different naming scheme, why not just use TLSA? TLSA ought to be specified as suitable for anchoring any x.509-style cert or cert chain in the dns. Perhaps TLSA should have been called X509A? A requirement to update dns software for every new use case might be an excessive burden on the community. Re-using TLSA for smime means that the only type of software (with existing TLSA support) which would need updates would be DANE-specific software like swede which would need an update anyway to generate and verify associations on the new name. (Smime consumers, of course, will need an update no matter what the RR is called.) (It certainly never occured to me that more RRs would be proposed for associations to 509-style certs. I envisioned a risk of another RR for, eg, associations to OpenPGP certs, but not for other applications of the 509-style ones.) (That said, If the consensus here and at dnsext is for a new RR, then I'll join that consensus.) -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 From paul.hoffman@vpnc.org Mon Sep 10 16:09:38 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3403B21F86A7 for ; Mon, 10 Sep 2012 16:09:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2YDTXXnLcQcs for ; Mon, 10 Sep 2012 16:09:37 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id B4E8521F8607 for ; Mon, 10 Sep 2012 16:09:37 -0700 (PDT) Received: from [10.20.30.108] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q8AN9Yjd067409 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 10 Sep 2012 16:09:35 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) From: Paul Hoffman In-Reply-To: Date: Mon, 10 Sep 2012 16:09:34 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20120908161345.32470.87669.idtracker@ietfa.amsl.com> <577789DE-4A22-48D3-ACBE-8297B6C1DBCE@kirei.se> To: James Cloos X-Mailer: Apple Mail (2.1486) Cc: IETF DANE WG list Subject: Re: [dane] FYI: New Version Notification for draft-hoffman-dane-smime-04.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2012 23:09:38 -0000 On Sep 10, 2012, at 3:22 PM, James Cloos wrote: > +1 on adopting. >=20 > As for the draft, do we really need a new RR? >=20 > If the content is the same as TLSA, just with a different naming = scheme, > why not just use TLSA? Because the semantics of the record are different. The TLSA record was = specifically defined for TLS. > A requirement to update dns software for every new use case might be = an > excessive burden on the community. Could be, but overloading the TLSA record could have bad side-effects as = well. I would rather err on the side of safety here. --Paul Hoffman= From ietf@augustcellars.com Mon Sep 10 22:04:48 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3AB621F85EA for ; Mon, 10 Sep 2012 22:04:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.499 X-Spam-Level: X-Spam-Status: No, score=-3.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qeWRSKS2v1Qf for ; Mon, 10 Sep 2012 22:04:46 -0700 (PDT) Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) by ietfa.amsl.com (Postfix) with ESMTP id AA3F321F85B8 for ; Mon, 10 Sep 2012 22:04:46 -0700 (PDT) Received: from Tobias (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id CB9F238EA5; Mon, 10 Sep 2012 22:04:45 -0700 (PDT) From: "Jim Schaad" To: "'Jakob Schlyter'" , "'IETF DANE WG list'" References: <20120908161345.32470.87669.idtracker@ietfa.amsl.com> <577789DE-4A22-48D3-ACBE-8297B6C1DBCE@kirei.se> In-Reply-To: <577789DE-4A22-48D3-ACBE-8297B6C1DBCE@kirei.se> Date: Mon, 10 Sep 2012 22:03:21 -0700 Message-ID: <046d01cd8fda$c5670d00$50352700$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQG8NZDUnukvMfDekkDNtxUX+Lj1cwEyVOAsl52t62A= Content-Language: en-us Subject: Re: [dane] FYI: New Version Notification for draft-hoffman-dane-smime-04.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 05:04:48 -0000 Before I do a detailed review of the document, I have a question about the problem that this document is trying to solve. I can see three different problems that one could try and solve with this document. 1. I have been given a certificate. That certificate contains an email address. I want establish that I should trust the certificate. 2. I have been given a certificate. I have gotten an email address from the email message, but there is no email address in the certificate. I want to establish that I should trust the certificate. Additionally, I may want to establish that the certificate has a binding with the email address. 3. I have an email address. I need to a) find a certificate for the email address (either for encryption or because the signed message did not have a certificate in it) and b) establish that I should trust the certificate. Given the current document, I believe that I can do problem #1. The population code will be able to map the email address in the certificate to the correct DNS name and the client will be able to do the lookup using the same process. The DNS could have different names for different capitalizations based on what is in the certificate. No problems. Problem #2 is harder. If the email address is capitalized correctly, then I can find the certificate, but depending on what is in the DNS record, I may or may not be able to establish that the certificate and the email address should be bound together. The capitalization issue could be addressed by the DNS populator, depending on what the local mail server does, by creating a record for every possible capitalization if the local mail server will do case folding. This is not needed if the local mail server does not do case folding of mailbox names. For messages coming from a user, it might be sufficient to assume that they are going to put the correct capitalization in the email message itself if folding is not done by the mail server. This may not be the case if folding is done by the mail server. Problem #3 is almost impossible. It would require that only end-entity certificate be listed, and this would mean that either it would be directly trusted or one would need to have both an EE certificate and a trust anchor listed in the DNS entry. The capitalization issue would need to be addressed as in the previous paragraph, but is harder given that the sender may have never seen the mailbox name for the recipient and may be guessing at what the string should be if the DNS namespace is not over-populated. Jim > -----Original Message----- > From: dane-bounces@ietf.org [mailto:dane-bounces@ietf.org] On Behalf Of > Jakob Schlyter > Sent: Monday, September 10, 2012 1:15 PM > To: IETF DANE WG list > Subject: [dane] FYI: New Version Notification for draft-hoffman-dane- > smime-04.txt > > FYI, we've made a last-minute update to the DANE S/MIME draft based on > the input from the list. > If the WG would like to adopt this draft (which we hope it will), we'd be > happy to continue as editors. > > Chairs: Will the WG meet in Atlanta? > > > Jakob & Paul > > > Begin forwarded message: > > > From: internet-drafts@ietf.org > > Subject: New Version Notification for draft-hoffman-dane-smime-04.txt > > Date: 8 september 2012 18:13:45 CEST > > To: paul.hoffman@vpnc.org > > Cc: jakob@kirei.se > > > > > > A new version of I-D, draft-hoffman-dane-smime-04.txt has been > > successfully submitted by Paul Hoffman and posted to the IETF > > repository. > > > > Filename: draft-hoffman-dane-smime > > Revision: 04 > > Title: Using Secure DNS to Associate Certificates with Domain > Names For S/MIME > > Creation date: 2012-09-06 > > WG ID: Individual Submission > > Number of pages: 6 > > URL: http://www.ietf.org/internet-drafts/draft-hoffman-dane- > smime-04.txt > > Status: http://datatracker.ietf.org/doc/draft-hoffman-dane-smime > > Htmlized: http://tools.ietf.org/html/draft-hoffman-dane-smime-04 > > Diff: http://www.ietf.org/rfcdiff?url2=draft-hoffman-dane-smime-04 > > > > Abstract: > > This document describes how to use secure DNS to associate an S/MIME > > user's certificate with the intended domain name, similar to the way > > that DANE (RFC 6698) does for TLS. > > > > > > > > > > The IETF Secretariat > > > > -- > Jakob Schlyter > Kirei AB - http://www.kirei.se/ > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane From fanf2@hermes.cam.ac.uk Tue Sep 11 03:28:17 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0D8721F873D for ; Tue, 11 Sep 2012 03:28:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.097 X-Spam-Level: X-Spam-Status: No, score=-4.097 tagged_above=-999 required=5 tests=[AWL=-1.498, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XBNWB07Qw77V for ; Tue, 11 Sep 2012 03:28:17 -0700 (PDT) Received: from ppsw-43.csi.cam.ac.uk (ppsw-43.csi.cam.ac.uk [131.111.8.143]) by ietfa.amsl.com (Postfix) with ESMTP id F31CF21F8648 for ; Tue, 11 Sep 2012 03:28:16 -0700 (PDT) X-Cam-AntiVirus: no malware found X-Cam-SpamDetails: not scanned X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/ Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:44687) by ppsw-43.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.159]:25) with esmtpa (EXTERNAL:fanf2) id 1TBNhV-0004s0-or (Exim 4.72) (return-path ); Tue, 11 Sep 2012 11:28:13 +0100 Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1TBNhV-0004bc-OL (Exim 4.72) (return-path ); Tue, 11 Sep 2012 11:28:13 +0100 Date: Tue, 11 Sep 2012 11:28:13 +0100 From: Tony Finch X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk To: Jim Schaad In-Reply-To: <046d01cd8fda$c5670d00$50352700$@augustcellars.com> Message-ID: References: <20120908161345.32470.87669.idtracker@ietfa.amsl.com> <577789DE-4A22-48D3-ACBE-8297B6C1DBCE@kirei.se> <046d01cd8fda$c5670d00$50352700$@augustcellars.com> User-Agent: Alpine 2.00 (LSU 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Tony Finch Cc: 'IETF DANE WG list' Subject: Re: [dane] FYI: New Version Notification for draft-hoffman-dane-smime-04.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 10:28:18 -0000 Jim Schaad wrote: > > I have an email address. I need to a) find a certificate for the email > address (either for encryption or because the signed message did not > have a certificate in it) and b) establish that I should trust the > certificate. I would really like to see this solved. Tony. -- f.anthony.n.finch http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. From jakob@kirei.se Tue Sep 11 06:25:40 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DF1E21F87CC for ; Tue, 11 Sep 2012 06:25:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.698 X-Spam-Level: X-Spam-Status: No, score=-0.698 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_SE=0.35, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uzdrISieVOlr for ; Tue, 11 Sep 2012 06:25:39 -0700 (PDT) Received: from spg.kirei.se (spg.kirei.se [IPv6:2001:67c:394:15::9]) by ietfa.amsl.com (Postfix) with ESMTP id 29F4921F8620 for ; Tue, 11 Sep 2012 06:25:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kirei.se; s=spg20100524; h=received:content-type:mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to:x-mailer; bh=S4ueXk87+WIEwLq3jVEVgoL/86ex5b4BfJ2wh12+16M=; b=p1lRUz647S9BVSo01Vw0oHlWHRW49jNR9KVEWTY5ADCIfypGcwR98IYqEh52kOmcZZj/UPP+xsa08 lm5nEzveSjoYFUfn6D7sUvcCujOVvVnaA+c944kCplvLjSvlWhO+2A2+ltIUuu5jt0wt4ibfkOJH5z VN4wmaF1Yk1MV6Hs= Received: from mail.kirei.se (unknown [91.206.174.10]) by spg-relay.kirei.se (Halon Mail Gateway) with ESMTPS; Tue, 11 Sep 2012 15:25:36 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) From: Jakob Schlyter In-Reply-To: <046d01cd8fda$c5670d00$50352700$@augustcellars.com> Date: Tue, 11 Sep 2012 15:25:34 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <7C162211-2928-46E5-83C3-CAEF246CD194@kirei.se> References: <20120908161345.32470.87669.idtracker@ietfa.amsl.com> <577789DE-4A22-48D3-ACBE-8297B6C1DBCE@kirei.se> <046d01cd8fda$c5670d00$50352700$@augustcellars.com> To: Jim Schaad X-Mailer: Apple Mail (2.1486) Cc: 'IETF DANE WG list' Subject: Re: [dane] FYI: New Version Notification for draft-hoffman-dane-smime-04.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 13:25:40 -0000 On 11 sep 2012, at 07:03, Jim Schaad wrote: > Problem #3 is almost impossible. It would require that only = end-entity > certificate be listed, and this would mean that either it would be = directly > trusted or one would need to have both an EE certificate and a trust = anchor > listed in the DNS entry. The capitalization issue would need to be > addressed as in the previous paragraph, but is harder given that the = sender > may have never seen the mailbox name for the recipient and may be = guessing > at what the string should be if the DNS namespace is not = over-populated. I believe you somewhat exaggerating this problem. IMHO, the requirements = you list are true but in no way a showstopper and I believe that = publishing down-cased EE cert would be a very pragmatic and deployable = way of doing this. jakob From nweaver@icsi.berkeley.edu Tue Sep 11 08:25:21 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1FC721F87BC for ; Tue, 11 Sep 2012 08:25:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aq-8ozGN8is6 for ; Tue, 11 Sep 2012 08:25:20 -0700 (PDT) Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU [192.150.186.19]) by ietfa.amsl.com (Postfix) with ESMTP id B588D21F87EA for ; Tue, 11 Sep 2012 08:25:20 -0700 (PDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 6FFC22C4006; Tue, 11 Sep 2012 08:25:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU Received: from rock.ICSI.Berkeley.EDU ([127.0.0.1]) by localhost (maihub.ICSI.Berkeley.EDU [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 1SfymtALEjV5; Tue, 11 Sep 2012 08:25:20 -0700 (PDT) Received: from gala.icir.org (gala [192.150.187.49]) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 0EF1B2C4002; Tue, 11 Sep 2012 08:25:20 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1278) Content-Type: text/plain; charset=us-ascii From: Nicholas Weaver In-Reply-To: <7C162211-2928-46E5-83C3-CAEF246CD194@kirei.se> Date: Tue, 11 Sep 2012 08:25:19 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <1FD9BB39-717A-4114-B71B-50C19E8CE7B1@icsi.berkeley.edu> References: <20120908161345.32470.87669.idtracker@ietfa.amsl.com> <577789DE-4A22-48D3-ACBE-8297B6C1DBCE@kirei.se> <046d01cd8fda$c5670d00$50352700$@augustcellars.com> <7C162211-2928-46E5-83C3-CAEF246CD194@kirei.se> To: Jakob Schlyter X-Mailer: Apple Mail (2.1278) Cc: 'IETF DANE WG list' Subject: Re: [dane] FYI: New Version Notification for draft-hoffman-dane-smime-04.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 15:25:22 -0000 On Sep 11, 2012, at 6:25 AM, Jakob Schlyter wrote: > On 11 sep 2012, at 07:03, Jim Schaad wrote: >=20 >> Problem #3 is almost impossible. It would require that only = end-entity >> certificate be listed, and this would mean that either it would be = directly >> trusted or one would need to have both an EE certificate and a trust = anchor >> listed in the DNS entry. The capitalization issue would need to be >> addressed as in the previous paragraph, but is harder given that the = sender >> may have never seen the mailbox name for the recipient and may be = guessing >> at what the string should be if the DNS namespace is not = over-populated. >=20 > I believe you somewhat exaggerating this problem. IMHO, the = requirements you list are true but in no way a showstopper and I believe = that publishing down-cased EE cert would be a very pragmatic and = deployable way of doing this. I think the biggest problem is the trust relationships... DNSSEC is designed to secure communication to the owner of the domain = name. The same applies for DANE in most cases. With SMIME, the receiving mail server (and thus the DNS infrastructure = behind it) is not nearly so trusted: one point of something like SMIME = is to keep Google (the mail server) from datamining the email to use = against me. Which implies that for problem #3, the solution may involve a DNSSEC = signed record that includes both the SMIME certificate AND the identity = of the mail account, with user's domains for the mail lookup being = different from the domain (and company) handling the actual mail = processing. From ietf@augustcellars.com Tue Sep 11 08:32:01 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 489B121F880D for ; Tue, 11 Sep 2012 08:32:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.524 X-Spam-Level: X-Spam-Status: No, score=-3.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y+K2wkFbpDjG for ; Tue, 11 Sep 2012 08:32:00 -0700 (PDT) Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id 5A70121F87FF for ; Tue, 11 Sep 2012 08:31:59 -0700 (PDT) Received: from Tobias (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id F31D82CA11; Tue, 11 Sep 2012 08:31:58 -0700 (PDT) From: "Jim Schaad" To: "'Jakob Schlyter'" References: <20120908161345.32470.87669.idtracker@ietfa.amsl.com> <577789DE-4A22-48D3-ACBE-8297B6C1DBCE@kirei.se> <046d01cd8fda$c5670d00$50352700$@augustcellars.com> <7C162211-2928-46E5-83C3-CAEF246CD194@kirei.se> In-Reply-To: <7C162211-2928-46E5-83C3-CAEF246CD194@kirei.se> Date: Tue, 11 Sep 2012 08:30:35 -0700 Message-ID: <04a401cd9032$6408df40$2c1a9dc0$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQG8NZDUnukvMfDekkDNtxUX+Lj1cwEyVOAsAhUy6bcBkhcgs5eBLIyw Content-Language: en-us Cc: 'IETF DANE WG list' Subject: Re: [dane] FYI: New Version Notification for draft-hoffman-dane-smime-04.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 15:32:01 -0000 > -----Original Message----- > From: Jakob Schlyter [mailto:jakob@kirei.se] > Sent: Tuesday, September 11, 2012 6:26 AM > To: Jim Schaad > Cc: 'IETF DANE WG list' > Subject: Re: [dane] FYI: New Version Notification for draft-hoffman-dane- > smime-04.txt > > On 11 sep 2012, at 07:03, Jim Schaad wrote: > > > Problem #3 is almost impossible. It would require that only > > end-entity certificate be listed, and this would mean that either it > > would be directly trusted or one would need to have both an EE > > certificate and a trust anchor listed in the DNS entry. The > > capitalization issue would need to be addressed as in the previous > > paragraph, but is harder given that the sender may have never seen the > > mailbox name for the recipient and may be guessing at what the string > should be if the DNS namespace is not over-populated. > > I believe you somewhat exaggerating this problem. IMHO, the requirements > you list are true but in no way a showstopper and I believe that publishing > down-cased EE cert would be a very pragmatic and deployable way of doing > this. This may or may not be true, however it does not address the question I asked in the mail. Which of the problems is this trying to solve? Jim > > jakob From martin@rodecker.nl Tue Sep 11 10:29:31 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49C9B21F8441 for ; Tue, 11 Sep 2012 10:29:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e1HnuR+z3HUR for ; Tue, 11 Sep 2012 10:29:30 -0700 (PDT) Received: from nienna.rodecker.nl (nienna.rodecker.nl [IPv6:2a02:348:35:5aa3::1]) by ietfa.amsl.com (Postfix) with ESMTP id 94B1721F843F for ; Tue, 11 Sep 2012 10:29:30 -0700 (PDT) Received: from fizzix (nienna.rodecker.nl [79.170.90.163]) by nienna.rodecker.nl (Postfix) with ESMTPSA id 0E0F41C178; Tue, 11 Sep 2012 19:29:28 +0200 (CEST) Date: Tue, 11 Sep 2012 19:29:26 +0200 From: Martin Pels To: Tony Finch Message-ID: <20120911192926.0b8eb3e7@fizzix> In-Reply-To: References: <20120908161345.32470.87669.idtracker@ietfa.amsl.com> <577789DE-4A22-48D3-ACBE-8297B6C1DBCE@kirei.se> <046d01cd8fda$c5670d00$50352700$@augustcellars.com> X-Mailer: Claws Mail 3.8.0 (GTK+ 2.24.10; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: 'IETF DANE WG list' Subject: Re: [dane] FYI: New Version Notification for draft-hoffman-dane-smime-04.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 17:29:31 -0000 On Tue, 11 Sep 2012 11:28:13 +0100 Tony Finch wrote: > Jim Schaad wrote: > > > > I have an email address. I need to a) find a certificate for the email > > address (either for encryption or because the signed message did not > > have a certificate in it) and b) establish that I should trust the > > certificate. > > I would really like to see this solved. +1 I think this is the main problem the document should tackle. Kind regards, Martin From jakob@kirei.se Tue Sep 11 12:07:51 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AA7E21F8595 for ; Tue, 11 Sep 2012 12:07:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.698 X-Spam-Level: X-Spam-Status: No, score=-0.698 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_SE=0.35, RDNS_NONE=0.1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OmpV2eWc3slG for ; Tue, 11 Sep 2012 12:07:50 -0700 (PDT) Received: from spg.kirei.se (spg.kirei.se [IPv6:2001:67c:394:15::9]) by ietfa.amsl.com (Postfix) with ESMTP id 1C96821F855A for ; Tue, 11 Sep 2012 12:07:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kirei.se; s=spg20100524; h=received:content-type:mime-version:subject:from:in-reply-to:date:cc: message-id:references:to:x-mailer; bh=R8q9SBRLPRjpcMrJEJSkX3oiF0Z8Ai70tzZqNL1LFFU=; b=CKrKBsNwn6+wlEBKKZZEnPTWceRO4FH9sZKBaNiCSGzdzmMTy0EO2Tfxgk3zI9WMjObYt4XzDYkHo pBpHCqViqXizdxinh/SP3XisummGsDz/pQbUR3aXwZ9kNLoylVQvVcbDM1xnSt/Q/FDdz3vqtoniFL P/tSHeEGbNnDPoPg= Received: from mail.kirei.se (unknown [91.206.174.10]) by spg-relay.kirei.se (Halon Mail Gateway) with ESMTPS; Tue, 11 Sep 2012 21:07:47 +0200 (CEST) Content-Type: multipart/signed; boundary="Apple-Mail=_19FFDA3B-3C4D-44E2-A10E-46C72CBAE593"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) From: Jakob Schlyter In-Reply-To: <04a401cd9032$6408df40$2c1a9dc0$@augustcellars.com> Date: Tue, 11 Sep 2012 21:07:45 +0200 Message-Id: References: <20120908161345.32470.87669.idtracker@ietfa.amsl.com> <577789DE-4A22-48D3-ACBE-8297B6C1DBCE@kirei.se> <046d01cd8fda$c5670d00$50352700$@augustcellars.com> <7C162211-2928-46E5-83C3-CAEF246CD194@kirei.se> <04a401cd9032$6408df40$2c1a9dc0$@augustcellars.com> To: Jim Schaad X-Mailer: Apple Mail (2.1486) Cc: 'IETF DANE WG list' Subject: Re: [dane] FYI: New Version Notification for draft-hoffman-dane-smime-04.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 19:07:51 -0000 --Apple-Mail=_19FFDA3B-3C4D-44E2-A10E-46C72CBAE593 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii On 11 sep 2012, at 17:30, Jim Schaad wrote: > Which of the problems is this trying to solve? All three. jakob --Apple-Mail=_19FFDA3B-3C4D-44E2-A10E-46C72CBAE593 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIILRzCCBTcw ggMfoAMCAQICAwD8bDANBgkqhkiG9w0BAQUFADBUMRQwEgYDVQQKEwtDQWNlcnQgSW5jLjEeMBwG A1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xhc3MgMyBSb290 MB4XDTEyMDYwMzE5MTgyOVoXDTEzMDYwMzE5MTgyOVowazELMAkGA1UEBhMCU0UxETAPBgNVBAcT CEdvdGVib3JnMREwDwYDVQQKEwhLaXJlaSBBQjEXMBUGA1UEAxMOSmFrb2IgU2NobHl0ZXIxHTAb BgkqhkiG9w0BCQEWDmpha29iQGtpcmVpLnNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEA0fPL1331N8n0urnmz7IHyNVUOYapIJx/y1BVWuQUBiGl6SmylIxnnWQhk1dSJWD224zaoSf5 ey1B44wI1vA5olSy0xx8QXrXUCxyLYXPAlDYBJruFJRH+Wc0tXOKgdUrEDDPpmTrPtkTLm8CkK8f IfpolHNn4DipfeMcnBrTTLRNV3tZOMp25yCKevppX/GE9fK8a8MRnEf4q2aZN0uf1rycaYRrSSsr cp9mn3A8dBwv+X/V/u9PYYkX/yUhiSOjcdux7a0x0yZyARlNs54Bg5BAJDwneer92mVsW///Txp7 9DQOxFAXS7/bV7MNV2wmI4sdgYedk7SpsY3OCM2W2QIDAQABo4H6MIH3MAwGA1UdEwEB/wQCMAAw VgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3IgRlJFRSBoZWFk IG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMEAGA1UdJQQ5MDcGCCsGAQUFBwMEBggrBgEF BQcDAgYKKwYBBAGCNwoDBAYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMDIGCCsGAQUFBwEBBCYwJDAi BggrBgEFBQcwAYYWaHR0cDovL29jc3AuY2FjZXJ0Lm9yZzAZBgNVHREEEjAQgQ5qYWtvYkBraXJl aS5zZTANBgkqhkiG9w0BAQUFAAOCAgEAMOWwip4KhQthaGrMTHn11iU6yWWVwUFOAPuR8EaCOxBT 7dLURbff7xHhM4ui2YsuWzCF78zpNKekWVYjg+YaJ4B3Gd0nm5dFXQhJDztns2D2XxQZA1p2+zaQ 5lnWAbyhTHj8F/uPXSe0OkCPIYZ7eEFCzznXerKxPRJWMP3paK6J/TYqmIpl7/79OhUOTUCCyMh2 5JFwtTz/90E6TwhdZK/K4W4UlrbM+t8P4xuLgDDueOs98RT/xiZketFOOZiQWxZ6vQEJoYrE7lPO aT9SPNJTaobP+SuKbHv/lVf33Ljca7D9XEZc8sSImgPcV7Y0q3U006Cin36kfP9NkBMExB84+BkP RSgv/Sp3uGYxVhGAmNOuJhOsMUFT1PAhiQAESjclkcYTjaNrMj7uaoHt2v0i5FE9Uhs5Dpy0//Mf SKfWmBWz0Sz3MIENt6QbIhpi2FDswdjGS+IGNuL+r5AcB9titC+1C0I0/aVTu2tsLEdHFLXki4Th S4ZY8Hx3dnxLz86EyhHtm2yyOywsUOLW5ttxIpv+r8YdGCz9Ki8q+lubBnhyY2kFtYAuyA9qrJL/ 7U9PMF8XI9WIpydpCEkT5Pdx0p0uOMnD+c2UNAXo3QMzBWl8dU+cLIPtm/1PgxigffZaqGee0wEa d/7k4fpd1N/tJPk6c9DzPy4ALl9kzsowggYIMIID8KADAgECAgEBMA0GCSqGSIb3DQEBBAUAMHkx EDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UE AxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNl cnQub3JnMB4XDTA1MTAxNDA3MzY1NVoXDTMzMDMyODA3MzY1NVowVDEUMBIGA1UEChMLQ0FjZXJ0 IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENs YXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op 3SjXQiqL84d4GVh8D57aiX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA 8pD6Ueb1aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6CjQnR vapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgiapNkVGJGmhZJHsK5I 6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0FXFuC3ED6q8VOJrU0gVyb4z5K+ta ciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPtXapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsR NlRiNDiPDGCbO5dWOK3z0luLoFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOn IJpa3yxdUly6R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/LIaRmXGapneL NGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVABfvpAgMBAAGjgb8wgbwwDwYD VR0TAQH/BAUwAwEB/zBdBggrBgEFBQcBAQRRME8wIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNB Y2VydC5vcmcvMCgGCCsGAQUFBzAChhxodHRwOi8vd3d3LkNBY2VydC5vcmcvY2EuY3J0MEoGA1Ud IARDMEEwPwYIKwYBBAGBkEowMzAxBggrBgEFBQcCARYlaHR0cDovL3d3dy5DQWNlcnQub3JnL2lu ZGV4LnBocD9pZD0xMDANBgkqhkiG9w0BAQQFAAOCAgEAfwiIodoaUEnaifuhCHLzivcexDq0eVsg MLFF3sJd02Vp8cJdVFQ8hV+5e0KRwpn9G1Gbq0aloRBTnm2IrHNuLDOm8PSe4HXBPohFqeFmQ/5W WtF6QXj3QNpKOvELW6W7FgbmwueTuYVNl0+xHjhDgO+bDYzvuKdgAIdXfR5EHMsj75s8mZ2vtSkc RXkWlk0nbfEcbMPCVWSzvBTi86QfHjL8JxUFz90urj6CYXvwIRAY9kTqUzn53NCaIODGu+C7Wk/E mcgHvbW9otsuYg1CNEG8/4uK9VEiqogwAOKw1Ly+ZbrVA1d5m+jcyE34UO2RpVIooqz7Nlg+6ZQr kVCHG9Ze1ozM9w8QDFJO0BZh5eUKbL8Xx3JGV5yY9WxgY3pvXrlOL8i5ubtqhbyYDe35PpeENJSu AK+h5eeSbk698+LZFItc0usBbKAXpS0Q65x6Sr297s797SJAq3A4iPUKh2rCqwVgyUgF2lPB3kR3 arPzPDztgLymOEopJF/+WTubJXpWYwBkuV2kYn1XNk+tg+8fklOgjndX3eVhET0jAJBMPPqjYJME o6819g5qj09KYKeFBWxGoY/0x3bjoVlX93GyxG4UXG1tQWbfG5Ox1ADD7svPPD0hgKlfY2X83eBf pPQr8IVxQdRnJfsasZeu1pmCE0HSbqUbmSeA5wupqAAxggK9MIICuQIBATBbMFQxFDASBgNVBAoT C0NBY2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NB Y2VydCBDbGFzcyAzIFJvb3QCAwD8bDAJBgUrDgMCGgUAoIIBNzAYBgkqhkiG9w0BCQMxCwYJKoZI hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMjA5MTExOTA3NDZaMCMGCSqGSIb3DQEJBDEWBBSpiLpE TEzykg6pLl4MrBOhzhgfUTBqBgkrBgEEAYI3EAQxXTBbMFQxFDASBgNVBAoTC0NBY2VydCBJbmMu MR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFzcyAz IFJvb3QCAwD8bDBsBgsqhkiG9w0BCRACCzFdoFswVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAc BgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9v dAIDAPxsMA0GCSqGSIb3DQEBAQUABIIBAD9r92kVWnFNFtpVydeN26S6kVU7N0xg4rZd3swBUtl2 yeblN3J9Wj/nmhZkSbfPljolfqmIs4jHds/oQoL1C9bXA5+rbPHkQ2B7MFDj+Raev3QNGkwsmN0a JS1oin+s2ZDpth3WKHo0WaAjebM1XOGAkM6hZJZFdSPiazCbZ++stXnD8cXPsynOpJRUQSd74gUS zLdUg5T7bOhfGhY1orbJ8PIPyU89wrhIgQpkieaY0RNqJY/msgR3TaF99ThMI6Izbw2D9gCpAZVG gsWdjhs/8Pmub06jSuEBt58Krbp9UbZxpVXu+7Lk6Rzf6yUnlXAz+hOP5u1xdn4HfNW7T1YAAAAA AAA= --Apple-Mail=_19FFDA3B-3C4D-44E2-A10E-46C72CBAE593-- From paul.hoffman@vpnc.org Tue Sep 11 15:02:42 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2878321F859E for ; Tue, 11 Sep 2012 15:02:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gk47-avPme7k for ; Tue, 11 Sep 2012 15:02:41 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id A9FCA21F8595 for ; Tue, 11 Sep 2012 15:02:41 -0700 (PDT) Received: from [10.20.30.108] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q8BM2cvF042937 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Tue, 11 Sep 2012 15:02:40 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) From: Paul Hoffman In-Reply-To: Date: Tue, 11 Sep 2012 15:02:39 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <710887EA-FB7C-4880-83F2-B6EA1EDC2797@vpnc.org> References: <20120908161345.32470.87669.idtracker@ietfa.amsl.com> <577789DE-4A22-48D3-ACBE-8297B6C1DBCE@kirei.se> <046d01cd8fda$c5670d00$50352700$@augustcellars.com> <7C162211-2928-46E5-83C3-CAEF246CD194@kirei.se> <04a401cd9032$6408df40$2c1a9dc0$@augustcellars.com> To: IETF DANE WG list X-Mailer: Apple Mail (2.1486) Subject: Re: [dane] FYI: New Version Notification for draft-hoffman-dane-smime-04.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 22:02:42 -0000 On Sep 11, 2012, at 12:07 PM, Jakob Schlyter wrote: > On 11 sep 2012, at 17:30, Jim Schaad wrote: >=20 >> Which of the problems is this trying to solve? >=20 > All three. +1. Jim knows full well the issue with case conversion (or at least he = should remember it from the two times he and I have discussed it in = depth over the past eight years) is not just about case conversion. All = internationalization is dealt with the same way. If someone has a list = of equivalences they want their LHS to be known as, it is trivial for = them to populate the DNS with SMIMEA records for all of those. There is = no way we would tell them what those equivalences would be, not to tell = the searcher what they should be searching for. --Paul Hoffman= From ietf@augustcellars.com Tue Sep 11 15:30:56 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC27721F8679 for ; Tue, 11 Sep 2012 15:30:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.539 X-Spam-Level: X-Spam-Status: No, score=-3.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dpGi4YwjsElD for ; Tue, 11 Sep 2012 15:30:55 -0700 (PDT) Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) by ietfa.amsl.com (Postfix) with ESMTP id D996921F8678 for ; Tue, 11 Sep 2012 15:30:55 -0700 (PDT) Received: from Tobias (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id 7D33638EE8; Tue, 11 Sep 2012 15:30:55 -0700 (PDT) From: "Jim Schaad" To: "'Paul Hoffman'" , "'IETF DANE WG list'" References: <20120908161345.32470.87669.idtracker@ietfa.amsl.com> <577789DE-4A22-48D3-ACBE-8297B6C1DBCE@kirei.se> <046d01cd8fda$c5670d00$50352700$@augustcellars.com> <7C162211-2928-46E5-83C3-CAEF246CD194@kirei.se> <04a401cd9032$6408df40$2c1a9dc0$@augustcellars.com> <710887EA-FB7C-4880-83F2-B6EA1EDC2797@vpnc.org> In-Reply-To: <710887EA-FB7C-4880-83F2-B6EA1EDC2797@vpnc.org> Date: Tue, 11 Sep 2012 15:29:31 -0700 Message-ID: <04c601cd906c$ea38c870$beaa5950$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQG8NZDUnukvMfDekkDNtxUX+Lj1cwEyVOAsAhUy6bcBkhcgswIiaXhyAdLrD0YCE9mk4JdRVuYQ Content-Language: en-us Subject: Re: [dane] FYI: New Version Notification for draft-hoffman-dane-smime-04.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2012 22:30:56 -0000 > -----Original Message----- > From: dane-bounces@ietf.org [mailto:dane-bounces@ietf.org] On Behalf Of > Paul Hoffman > Sent: Tuesday, September 11, 2012 3:03 PM > To: IETF DANE WG list > Subject: Re: [dane] FYI: New Version Notification for draft-hoffman-dane- > smime-04.txt > > On Sep 11, 2012, at 12:07 PM, Jakob Schlyter wrote: > > > On 11 sep 2012, at 17:30, Jim Schaad wrote: > > > >> Which of the problems is this trying to solve? > > > > All three. > > +1. > > Jim knows full well the issue with case conversion (or at least he should > remember it from the two times he and I have discussed it in depth over the > past eight years) is not just about case conversion. All internationalization is > dealt with the same way. If someone has a list of equivalences they want > their LHS to be known as, it is trivial for them to populate the DNS with > SMIMEA records for all of those. There is no way we would tell them what > those equivalences would be, not to tell the searcher what they should be > searching for. I completely agree that we are not going to tell implementers what the solution is, that is a long ways from not saying that this is a problem that needs to be addressed by the systems that are populating the DNS. I think that the problem itself needs to be described and discussed. I am fully aware that there are systems in the United States where the case folding does not occur when mail is delivered or when the address in an email message is compared with the address in a certificate. This means that it not automatic that there is single way of solving the problem. It does not however mean that there is not a problem that needs to be discussed. Jim > > --Paul Hoffman > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane From ietf@augustcellars.com Tue Sep 11 17:06:01 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF16421E803C for ; Tue, 11 Sep 2012 17:06:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.549 X-Spam-Level: X-Spam-Status: No, score=-3.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uBA6PQzY9Ez0 for ; Tue, 11 Sep 2012 17:06:01 -0700 (PDT) Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) by ietfa.amsl.com (Postfix) with ESMTP id 1600E21F864A for ; Tue, 11 Sep 2012 17:06:01 -0700 (PDT) Received: from Tobias (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id D66A438EE8 for ; Tue, 11 Sep 2012 17:06:00 -0700 (PDT) From: "Jim Schaad" To: "'IETF DANE WG list'" Date: Tue, 11 Sep 2012 17:04:36 -0700 Message-ID: <04c801cd907a$32c47c80$984d7580$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: Ac2Qb/BdwRUecxAmQIaHkQPRYkG8vQ== Content-Language: en-us Subject: [dane] Review draft-hoffman-dane-smime-04.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2012 00:06:01 -0000 1. Based on the set of email messages I think that the introduction needs some expansion. My previous question on the scope of the problem had to do with the first sentence of the introduction as this implies that certificates coming with messages are the main point of this document. I will try and address this in a separate message. 2. In order to deal with issues that are present for S/MIME and not for TLS, I believe that a new conjunction items is required to be added to the Certificate Usage field that says a) this is the EE certificate to be used and b) this is the trust anchor to be used. 3. If the certificate lookup problem is to be solved, then it needs to be made clear that the full certificate selector is going to be the common one for the EE certificate of an S/MIME recipient for encryption, but it may not be for an S/MIME sender that is signing. 4. I think a new security consideration needs to be placed in for dealing with certificate revocation. In the TLS case if a server knows that a certificate has been revoked, it can just not present it and the only problem will be that the client cannot validate the certificate until the TTL has expired. This is not the case for encryption certificates for recipients of S/MIME messages. It is highly probable that the recipient will still want the sender to do a revocation check as that might be faster than the TTL expiration. In this case the sender will be unable to get a valid certificate and must defer sending. If this is not the case then a certificate which has been revoked by the CA might still be used by an RP because it is valid in the DNS. At a minimum this is a discussion that is needed for setting TTL times on these records. 5. I think a new security consideration needs to be placed in for dealing with the fact that the DNS authority might not be authorative for any information in the association. As presented elsewhere, consider the case where I put up a CA for my enterprise, but decide to all the use of Gmail accounts for some employees. This means that I now need to have Google publish into its DNS the EE and trust root certificates for my employees that are using the Gmail accounts. Google however does not control any of the security properties of the CA that is being used to issues and maintain the certificates involved. This different from the usual TLS case where the DNS provider and the service provider have a tight association. Even in the case where things are outsourced there is a contractual relationship between the DNS provider and the service provider. This is not the case for the email world. 6. It might be worthwhile to consider allowing for publication of trust anchor records (only type 2) at the _smimecert level for those cases where a small number of trust anchors should be used for all of the recipients for a domain. This does not solve the EE certificate look up problem, but does make a simpler way to advertise the TA for a domain without allowing trolls to find all of the email addresses associated with a domain. 7. This document does not refer to the registries created in 7.2, 7.3 and 7.4 of the DANE TLSA document. This means it is not clear that if a document defines a new TLSA certificate usage, that it would or would not apply to the SMIMEA record. A this time I would assume that it would not. 8. As mentioned elsewhere, the problem of looking up certificates in the presence of mail servers that are willing to do collapse of local parts needs to be addressed. The problem needs to be described, but a solution does not need to be stated as this is highly dependent on how the collapse is going to be done. Jim From carl@redhoundsoftware.com Tue Sep 11 17:29:30 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 724D921F8584 for ; Tue, 11 Sep 2012 17:29:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L87rkV2BVpiF for ; Tue, 11 Sep 2012 17:29:30 -0700 (PDT) Received: from mail-gg0-f172.google.com (mail-gg0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id F05C321F8582 for ; Tue, 11 Sep 2012 17:29:29 -0700 (PDT) Received: by ggnh4 with SMTP id h4so258785ggn.31 for ; Tue, 11 Sep 2012 17:29:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=user-agent:date:subject:from:to:message-id:thread-topic:in-reply-to :mime-version:content-type:content-transfer-encoding :x-gm-message-state; bh=ufXnPXf+EslfdBJd3rR/bWDzTnLwSdA9FItsBrKtCco=; b=Cla3Fw46GkLOa9lEyhbfagTji6MIj+WCo8DkLN4r3TMF0R5V/K5NwMFj+dgzqmPGMH gKwJhzxbXQkXxwTg38Z5eu696Rn62+evgs+Q3X2vUV5EOv47iif0F/GeVJ8brgk+C91t l5iiP8x34kWjXZ2woPaS0QnqzcwwoPBB96VwAxrKvis1MqnQdyDS90e4pyrBljYX8zaK r6hX1prfVzEhzNS3aUpPsFS/zncjcUdrC+9cgYaGB7AoN+m8a2PcJAbE8qm18jNyEec7 tUQuEvb9xj8SYAPkTrgsWMoSByV8cp8F0V5cLrQIIs4URL7qlygmz8MczshNWAivULkC 3/7A== Received: by 10.236.197.3 with SMTP id s3mr18378040yhn.1.1347409769435; Tue, 11 Sep 2012 17:29:29 -0700 (PDT) Received: from [192.168.2.3] (pool-72-66-83-116.washdc.fios.verizon.net. [72.66.83.116]) by mx.google.com with ESMTPS id p21sm33019555yhj.11.2012.09.11.17.29.25 (version=SSLv3 cipher=OTHER); Tue, 11 Sep 2012 17:29:28 -0700 (PDT) User-Agent: Microsoft-MacOutlook/14.2.3.120616 Date: Tue, 11 Sep 2012 20:29:20 -0400 From: Carl Wallace To: Jim Schaad , 'IETF DANE WG list' Message-ID: Thread-Topic: [dane] Review draft-hoffman-dane-smime-04.txt In-Reply-To: <04c801cd907a$32c47c80$984d7580$@augustcellars.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-Gm-Message-State: ALoCoQlN+ccUJayydQvZsv7nvysbXQJkR8TJlt5DfH6VJaD8fp09Qqch0czQQsIGAMcqGlpGQt+p Subject: Re: [dane] Review draft-hoffman-dane-smime-04.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2012 00:29:30 -0000 On 9/11/12 8:04 PM, "Jim Schaad" wrote: > >2. In order to deal with issues that are present for S/MIME and not for >TLS, I believe that a new conjunction items is required to be added to the >Certificate Usage field that says a) this is the EE certificate to be used >and b) this is the trust anchor to be used. Why the trust anchor? It's far more common (in my experience) to have to install a trust anchor to exchange email with someone than to interact with a web server. It's also common for the trust anchor considered by the sender to vary from the trust anchor used by the verifier. A CA constraint should work well here. >3. If the certificate lookup problem is to be solved, then it needs to be >made clear that the full certificate selector is going to be the common >one >for the EE certificate of an S/MIME recipient for encryption, but it may >not >be for an S/MIME sender that is signing. Certificate lookup for encryption seems like something that might be better solved using a certificate transparency log. From ietf@augustcellars.com Tue Sep 11 19:56:18 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B0DD21F8504 for ; Tue, 11 Sep 2012 19:56:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.556 X-Spam-Level: X-Spam-Status: No, score=-3.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kfqWpWPBMLoP for ; Tue, 11 Sep 2012 19:56:17 -0700 (PDT) Received: from smtp4.pacifier.net (smtp4.pacifier.net [64.255.237.176]) by ietfa.amsl.com (Postfix) with ESMTP id B201E21F8501 for ; Tue, 11 Sep 2012 19:56:17 -0700 (PDT) Received: from Tobias (mail.augustcellars.com [50.34.17.238]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp4.pacifier.net (Postfix) with ESMTPSA id 26CA538EE8; Tue, 11 Sep 2012 19:56:17 -0700 (PDT) From: "Jim Schaad" To: "'Carl Wallace'" , "'IETF DANE WG list'" References: <04c801cd907a$32c47c80$984d7580$@augustcellars.com> In-Reply-To: Date: Tue, 11 Sep 2012 19:54:52 -0700 Message-ID: <04d201cd9091$fc13b4e0$f43b1ea0$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQFs0rwKhGN624yAm8G4yLpJ9+vyAphHfd4g Content-Language: en-us Subject: Re: [dane] Review draft-hoffman-dane-smime-04.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2012 02:56:18 -0000 > -----Original Message----- > From: Carl Wallace [mailto:carl@redhoundsoftware.com] > Sent: Tuesday, September 11, 2012 5:29 PM > To: Jim Schaad; 'IETF DANE WG list' > Subject: Re: [dane] Review draft-hoffman-dane-smime-04.txt > > On 9/11/12 8:04 PM, "Jim Schaad" wrote: > > > >2. In order to deal with issues that are present for S/MIME and not > >for TLS, I believe that a new conjunction items is required to be added > >to the Certificate Usage field that says a) this is the EE certificate > >to be used and b) this is the trust anchor to be used. > > Why the trust anchor? It's far more common (in my experience) to have to > install a trust anchor to exchange email with someone than to interact with a > web server. It's also common for the trust anchor considered by the sender > to vary from the trust anchor used by the verifier. A CA constraint should > work well here. You are quite right that a CA constraint would also work here as well. However part of the effort is to reduce the need to install the trust anchor as is currently required today. I would agree that that one would be able to say a) this EE cert and b) through this CA as well. I would argue that we want to create the AND statement that I argued for back in the days of DANE base spec but nobody else thought was needed. > > >3. If the certificate lookup problem is to be solved, then it needs to > >be made clear that the full certificate selector is going to be the > >common one for the EE certificate of an S/MIME recipient for > >encryption, but it may not be for an S/MIME sender that is signing. > > Certificate lookup for encryption seems like something that might be better > solved using a certificate transparency log. It will be interesting to see if this really amounts to anything, but the authors have said that this is one goal of the current work. Jim > > From warren@kumari.net Sat Sep 22 04:02:20 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1747621F8748 for ; Sat, 22 Sep 2012 04:02:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -97.586 X-Spam-Level: X-Spam-Status: No, score=-97.586 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, DATE_IN_PAST_12_24=0.992, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qhhZsHFjd6gR for ; Sat, 22 Sep 2012 04:02:19 -0700 (PDT) Received: from vimes.kumari.net (unknown [204.194.22.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CDA821F8745 for ; Sat, 22 Sep 2012 04:02:19 -0700 (PDT) Received: from [192.168.1.201] (unknown [62.50.250.4]) by vimes.kumari.net (Postfix) with ESMTPSA id 4DE231B4052F; Fri, 21 Sep 2012 13:27:29 -0400 (EDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) From: Warren Kumari In-Reply-To: Date: Fri, 21 Sep 2012 13:27:29 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> References: To: IETF DANE WG list X-Mailer: Apple Mail (2.1486) Subject: Re: [dane] Call for Adoption: draft-hoffman-dane-smime. X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Sep 2012 11:02:20 -0000 On Sep 10, 2012, at 5:25 PM, Warren Kumari wrote: > Dear WG, >=20 > This draft has already revived some comment (and has been revised to = incorporate / address those), so I'm assuming that there will be = sufficient interest to adopt, but for the form of the thing: >=20 > This starts a call for adoption of draft-hoffman-dane-smime.=20 > Please provide feedback as to if you would like this draft adopted by = Sept 17th, 2012. We have discussed this, and see sufficient interest for adopting this = draft -- would the authors please re-submit as draft-dane-? W >=20 > W >=20 > --=20 > Never criticize a man till you've walked a mile in his shoes. Then if = he didn't like what you've said, he's a mile away and barefoot.=20 >=20 >=20 >=20 From ondrej.sury@nic.cz Sun Sep 23 03:28:09 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8902A21F8425 for ; Sun, 23 Sep 2012 03:28:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.16 X-Spam-Level: X-Spam-Status: No, score=0.16 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Hk8x25gdNgJ for ; Sun, 23 Sep 2012 03:28:08 -0700 (PDT) Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) by ietfa.amsl.com (Postfix) with ESMTP id 73FD621F84C9 for ; Sun, 23 Sep 2012 03:28:07 -0700 (PDT) Received: from dhcp-27-89.ripemtg.ripe.net (dhcp-27-89.ripemtg.ripe.net [193.0.27.89]) by mail.nic.cz (Postfix) with ESMTPSA id 5041E14047B for ; Sun, 23 Sep 2012 12:28:05 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.cz; s=default; t=1348396085; bh=Xm7YTkKkfYJ3Ws0qwmrq2Zpps29nGRZj+SfFDqEcHTY=; h=From:Content-Type:Subject:Message-Id:Date:To:Mime-Version; b=WYR8MHVz0l83gC/QYgUqXzwFIx236eL/H47+9nRkaTXFWkzcBa6YGoAEi//Nx972E 5z1JX2di3wRWe6wWA6P5dzPqc4gIh0x6h2KStzx9A1xPPB+sczNcO0tA0WauBq+d0o j+Q6ZsfwwOu8MwffwnOacSbDBOhceLYETqvmrAN0= From: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= Content-Type: multipart/signed; boundary="Apple-Mail=_67320362-37CE-453E-8B55-49013EEA27BF"; protocol="application/pkcs7-signature"; micalg=sha1 Message-Id: Date: Sun, 23 Sep 2012 12:28:04 +0200 To: dane WG list Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) X-Mailer: Apple Mail (2.1498) X-Virus-Scanned: clamav-milter 0.96.5 at mail X-Virus-Status: Clean Subject: [dane] IETF 85 - meet or not to meet? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Sep 2012 10:28:09 -0000 --Apple-Mail=_67320362-37CE-453E-8B55-49013EEA27BF Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Dear WG, we did register a slot for IETF 85 (just in case), but from the volume = of the mailing list and just one WG draft (we have just adopted), we are = quite unsure if there's enough interest in meeting. I am personally inclined of canceling this meeting and reschedule for = next year. Any comments (if saying yes, please also say why and attach an agenda = item suggestion :))? O. -- Ond=C5=99ej Sur=C3=BD -- Chief Science Officer ------------------------------------------- CZ.NIC, z.s.p.o. -- Laborato=C5=99e CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:ondrej.sury@nic.cz http://nic.cz/ tel:+420.222745110 fax:+420.222745112 ------------------------------------------- --Apple-Mail=_67320362-37CE-453E-8B55-49013EEA27BF Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMKTCCBgYw ggTuoAMCAQICAQIwDQYJKoZIhvcNAQEFBQAwga8xCzAJBgNVBAYTAk5MMSAwHgYDVQQKExdUcnVz dGVkIEludHJvZHVjZXIgKFRJKTEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxMzAx BgNVBAMTKlRydXN0ZWQgSW50cm9kdWNlciAoVEkpIFRvcGxldmVsIENBIC0gRzAwMTEnMCUGCSqG SIb3DQEJARYYY2FAdHJ1c3RlZC1pbnRyb2R1Y2VyLm5sMB4XDTA0MTIwNzEwMzYxN1oXDTMwMTIw NjAwMDAwMFowga0xCzAJBgNVBAYTAk5MMSAwHgYDVQQKExdUcnVzdGVkIEludHJvZHVjZXIgKFRJ KTEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxMTAvBgNVBAMTKFRydXN0ZWQgSW50 cm9kdWNlciAoVEkpIENsaWVudCBDQSAtIEcwMDExJzAlBgkqhkiG9w0BCQEWGGNhQHRydXN0ZWQt aW50cm9kdWNlci5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOKQxMR3KDUpfJBz AhY2BPCByKo9SMp/V0RIboLBD6vO0miSYO9FmP3Q07OKPYR5WdlQyrpKqB1zl0SRz2cDjnYkzvDF vK5kvMvlTYeQlHypQlvhkTsYWD4ZZxxEhAYBb1s7cYaIahLw6H/RZz+kyWTOc9TncPBvBWIQ1Ypo S+uQqpopH8s5ebtB/17SbUty5yXiHoaPh/ScdMKqxbyJiL0YRM6SU4YX4HVZ5YGS9aWuiUSiA0YF 8dCR56nErx67wgq8O1GtsSKKOf/ueUxSmrqwgQNlfM9Or5O8kb61s1O2iACHtixoV3ENanylBafU mRYpNo5tSZsElGfntMoGBy8CAwEAAaOCAiswggInMB0GA1UdDgQWBBSeX93lU8ExaSlN1ZaXxfOP h2iHTjCB3AYDVR0jBIHUMIHRgBRdbehwJx/8iwlxnguJECc7MUXvoqGBtaSBsjCBrzELMAkGA1UE BhMCTkwxIDAeBgNVBAoTF1RydXN0ZWQgSW50cm9kdWNlciAoVEkpMSAwHgYDVQQLExdDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTEzMDEGA1UEAxMqVHJ1c3RlZCBJbnRyb2R1Y2VyIChUSSkgVG9wbGV2 ZWwgQ0EgLSBHMDAxMScwJQYJKoZIhvcNAQkBFhhjYUB0cnVzdGVkLWludHJvZHVjZXIubmyCAQAw DwYDVR0TAQH/BAUwAwEB/zAjBgNVHRIEHDAagRhjYUB0cnVzdGVkLWludHJvZHVjZXIubmwwgasG A1UdHwSBozCBoDBOoEygSoZIaHR0cDovL2NybDEudHJ1c3RlZC1pbnRyb2R1Y2VyLm5sL2NhL3g1 MDkvZzEvZGF0YS9jcmxzL2NybC1yb290LWNhLTEuY3JsME6gTKBKhkhodHRwOi8vY3JsMi50cnVz dGVkLWludHJvZHVjZXIubmwvY2EveDUwOS9nMS9kYXRhL2NybHMvY3JsLXJvb3QtY2EtMS5jcmww IwYDVR0RBBwwGoEYY2FAdHJ1c3RlZC1pbnRyb2R1Y2VyLm5sMAsGA1UdDwQEAwIBBjARBglghkgB hvhCAQEEBAMCAAcwDQYJKoZIhvcNAQEFBQADggEBAI1sC2l8st3ElC74az6gH7tGXSiS7jicpHeI 10A3KY+7OEPT7BAJDpjMXxSvAwU1vBDFfwEAXGj42xAPB6cynOTDn0OiFpYGvi3EZV3khXYkGPLs fxZttUyDKqhXcWYy4nnI3fBxqCgLboJFw6OO/SVj5qQdXMZ7VhyFBWJMQkVOnlt6i3xFkG3O5LMI BDmdL5bZPEe8b6bJkMr+rUYEvorPJmV+CkiewYMaruCbdhwRkpkhXB3qLwB2ppnKxSinAU4f9Rcp p73h8iDVQ9389iliUKomVQqj9NJv2G6SyJdDQdN2vrldLszNpw6t+zIzCjpgQ//kem5BJ1k4YG3L CpAwggYbMIIFA6ADAgECAgIGSDANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCTkwxIDAeBgNV BAoTF1RydXN0ZWQgSW50cm9kdWNlciAoVEkpMSAwHgYDVQQLExdDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eTExMC8GA1UEAxMoVHJ1c3RlZCBJbnRyb2R1Y2VyIChUSSkgQ2xpZW50IENBIC0gRzAwMTEn MCUGCSqGSIb3DQEJARYYY2FAdHJ1c3RlZC1pbnRyb2R1Y2VyLm5sMB4XDTEyMDgwMTA3NTEyNloX DTE0MDgwMTA3NTEyNlowejELMAkGA1UEBhMCTkwxGzAZBgNVBAoTElRydXN0ZWQgSW50cm9kdWNl cjEVMBMGA1UECxMMQ1ouTklDLUNTSVJUMRQwEgYDVQQDEwtPbmRyZWogU3VyeTEhMB8GCSqGSIb3 DQEJARYSb25kcmVqLnN1cnlAbmljLmN6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA xlmN+hSg6RxWm1X6QOI3OXHSAqhRzWGb8ismR2+3LGDS640luS8x4VdWo490Ceqz+BZvMhQJwfny 9mb0IejFpx7kBOM7k2rMfOYUXa/pq07ysWEI8bXDcXRBf2ZcG0B/gajLPFA9MADlCWHSf7cNZF6S XnIHwTn5DowxpbF403NqLWFnTM08wTJkFgGB7WZAtE6KoSigztI39NrtKRsnosZoBMNZS/JG1CLt VdZPvkHVuiVQWEGYgswBEMGXoR7jtzVNhHr2F1atoBICJVGWFNA8fHvQRLAcXWJTXhKxb2uSq9Yp kKaZPZ6rrp88qtemvwVnQKE9r3/iPFeTARY7AQIDAQABo4ICdTCCAnEwDAYDVR0TAQH/BAIwADAd BgNVHQ4EFgQUgizwG0IeMZQlCSduLVeM1zDBdUEwgdwGA1UdIwSB1DCB0YAUnl/d5VPBMWkpTdWW l8Xzj4doh06hgbWkgbIwga8xCzAJBgNVBAYTAk5MMSAwHgYDVQQKExdUcnVzdGVkIEludHJvZHVj ZXIgKFRJKTEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxMzAxBgNVBAMTKlRydXN0 ZWQgSW50cm9kdWNlciAoVEkpIFRvcGxldmVsIENBIC0gRzAwMTEnMCUGCSqGSIb3DQEJARYYY2FA dHJ1c3RlZC1pbnRyb2R1Y2VyLm5sggECMCMGA1UdEgQcMBqBGGNhQHRydXN0ZWQtaW50cm9kdWNl ci5ubDAdBgNVHREEFjAUgRJvbmRyZWouc3VyeUBuaWMuY3owCwYDVR0PBAQDAgSwMCcGA1UdJQQg MB4GCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQwEQYJYIZIAYb4QgEBBAQDAgSwMIHVBgNV HR8Egc0wgcowY6BhoF+GXWh0dHA6Ly9jcmwxLnRydXN0ZWQtaW50cm9kdWNlci5ubC9jYS94NTA5 L2cxL2NhLXNzbC1jbGllbnQvZzEvZGF0YS9jcmxzL2NybC1jbGllbnQtY2EtMS0xLmNybDBjoGGg X4ZdaHR0cDovL2NybDIudHJ1c3RlZC1pbnRyb2R1Y2VyLm5sL2NhL3g1MDkvZzEvY2Etc3NsLWNs aWVudC9nMS9kYXRhL2NybHMvY3JsLWNsaWVudC1jYS0xLTEuY3JsMA0GCSqGSIb3DQEBBQUAA4IB AQAZP/dznHW3BWajBVQ3fTaDsx/3csUE6+jX83r1dgzYjUOmapOzXQVZ2/VTwZTzJSsD7rDgzUN6 sk6YWmUJOwqoEcPasYG9zt9e+bpwc/PURjSowb+WjEE2e4L47x3mPgL0dtlGj4guhRaj247K9N1f grvlyX0h/IL9JO4CN0I5lAuOaZ3Yfl0euHpHLlXZ9czxkc6dCbtGSZwr3RrltNmMjhp0O3D51fDd D6mG1vvOEV9Kj1JfSE2cQI5j3GpMlNleZA6noZ93drs2G9/D7WP4uVLCtJfGmG6PJsy4+qN46qXu ekJR/8WH1aNcH0Ya+JsYrwIFPwL4Cr+JXrbFqUOFMYIDzzCCA8sCAQEwgbQwga0xCzAJBgNVBAYT Ak5MMSAwHgYDVQQKExdUcnVzdGVkIEludHJvZHVjZXIgKFRJKTEgMB4GA1UECxMXQ2VydGlmaWNh dGlvbiBBdXRob3JpdHkxMTAvBgNVBAMTKFRydXN0ZWQgSW50cm9kdWNlciAoVEkpIENsaWVudCBD QSAtIEcwMDExJzAlBgkqhkiG9w0BCQEWGGNhQHRydXN0ZWQtaW50cm9kdWNlci5ubAICBkgwCQYF Kw4DAhoFAKCCAe8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIw OTIzMTAyODA1WjAjBgkqhkiG9w0BCQQxFgQULP+RnOA4tbxlwXorJzAWH3notOkwgcUGCSsGAQQB gjcQBDGBtzCBtDCBrTELMAkGA1UEBhMCTkwxIDAeBgNVBAoTF1RydXN0ZWQgSW50cm9kdWNlciAo VEkpMSAwHgYDVQQLExdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTExMC8GA1UEAxMoVHJ1c3RlZCBJ bnRyb2R1Y2VyIChUSSkgQ2xpZW50IENBIC0gRzAwMTEnMCUGCSqGSIb3DQEJARYYY2FAdHJ1c3Rl ZC1pbnRyb2R1Y2VyLm5sAgIGSDCBxwYLKoZIhvcNAQkQAgsxgbeggbQwga0xCzAJBgNVBAYTAk5M MSAwHgYDVQQKExdUcnVzdGVkIEludHJvZHVjZXIgKFRJKTEgMB4GA1UECxMXQ2VydGlmaWNhdGlv biBBdXRob3JpdHkxMTAvBgNVBAMTKFRydXN0ZWQgSW50cm9kdWNlciAoVEkpIENsaWVudCBDQSAt IEcwMDExJzAlBgkqhkiG9w0BCQEWGGNhQHRydXN0ZWQtaW50cm9kdWNlci5ubAICBkgwDQYJKoZI hvcNAQEBBQAEggEATOl9YlsQM/EI1EUtSmlJxTaA41UMuJDxlYm+AX0M+paTZ8SPMVm9eyGTgKe2 NwagI0JqQ87GU0FdimvQyq07kJT2lYXmyBtFWnWCVL0OsncEK5VcZSuMjbtk2mih+3cD60FJyMuZ aAcF3HQRL9IuGoKEHhLMWoFq0acBSu3X9kkbgwI3y6ZHGO2X5QvoJGJ0duVCvQ8tsTfJ0c5LLDsF uHEkpP2IzAFfFhHWHU3YWKpeO44vydGlNLORxEevFhD3OOmmBPhoOGzDT8uLKPtqlBykBFKdqfNA Z+lkQ8ZpdnSf48xLuL0Y7v2oUu+yHdO63+cTd0E8tsbjPP+zReWn/AAAAAAAAA== --Apple-Mail=_67320362-37CE-453E-8B55-49013EEA27BF-- From internet-drafts@ietf.org Sun Sep 23 10:34:01 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0CD921F84F3; Sun, 23 Sep 2012 10:34:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.491 X-Spam-Level: X-Spam-Status: No, score=-102.491 tagged_above=-999 required=5 tests=[AWL=0.108, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ThzbXJvehZ3; Sun, 23 Sep 2012 10:34:01 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5037621F849A; Sun, 23 Sep 2012 10:34:01 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.34 Message-ID: <20120923173401.24368.31804.idtracker@ietfa.amsl.com> Date: Sun, 23 Sep 2012 10:34:01 -0700 Cc: dane@ietf.org Subject: [dane] I-D Action: draft-ietf-dane-smime-00.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Sep 2012 17:34:02 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the DNS-based Authentication of Named Entitie= s Working Group of the IETF. Title : Using Secure DNS to Associate Certificates with Domain N= ames For S/MIME Author(s) : Paul Hoffman Jakob Schlyter Filename : draft-ietf-dane-smime-00.txt Pages : 6 Date : 2012-09-23 Abstract: This document describes how to use secure DNS to associate an S/MIME user's certificate with the intended domain name, similar to the way that DANE (RFC 6698) does for TLS. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dane-smime There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-dane-smime-00 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From ondrej.sury@nic.cz Mon Sep 24 06:10:47 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1E8721F854C for ; Mon, 24 Sep 2012 06:10:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.714 X-Spam-Level: X-Spam-Status: No, score=0.714 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EyiUQGv07Kul for ; Mon, 24 Sep 2012 06:10:42 -0700 (PDT) Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) by ietfa.amsl.com (Postfix) with ESMTP id 58F4521F8613 for ; Mon, 24 Sep 2012 06:10:42 -0700 (PDT) Received: from [IPv6:2001:67c:64:42:a9bc:dfa8:6e29:70ac] (unknown [IPv6:2001:67c:64:42:a9bc:dfa8:6e29:70ac]) by mail.nic.cz (Postfix) with ESMTPSA id 7741113FAA4 for ; Mon, 24 Sep 2012 15:10:41 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.cz; s=default; t=1348492241; bh=fjrnnoOjTSR4c8cO8Q2WwU4MAYHK1HL63AzYMoCZ7XI=; h=From:Content-Type:Message-Id:Mime-Version:Subject:Date:References: To:In-Reply-To; b=cqF3NjELqla9hXYDswHZ4y++4ntoYpA1CuCcyQQkDARpKEwTeCIFNMp3cPetR8VWM hlo83gKknpRRwl2e/GRaFSH1QEz923DypnLkABsqms5FNzciD4do73/oB+pKKAZc7+ AjhReuwJTzY/QCEdo0lxXqgTvGlF8liNbCVn/KMY= From: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= Content-Type: multipart/signed; boundary="Apple-Mail=_F43F04F2-C34A-4800-A750-A8498F7BE3FC"; protocol="application/pkcs7-signature"; micalg=sha1 Message-Id: Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) Date: Mon, 24 Sep 2012 15:10:41 +0200 References: To: dane WG list In-Reply-To: X-Mailer: Apple Mail (2.1498) X-Virus-Scanned: clamav-milter 0.96.5 at mail X-Virus-Status: Clean Subject: Re: [dane] IETF 85 - meet or not to meet? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 13:10:47 -0000 --Apple-Mail=_F43F04F2-C34A-4800-A750-A8498F7BE3FC Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 More specifically, we are going to cancel the session after Oct 4th = unless we hear from you that you want to meet and we have an agenda. O. On 23. 9. 2012, at 12:28, Ond=C5=99ej Sur=C3=BD = wrote: > Dear WG, >=20 > we did register a slot for IETF 85 (just in case), but from the volume = of the mailing list and just one WG draft (we have just adopted), we are = quite unsure if there's enough interest in meeting. >=20 > I am personally inclined of canceling this meeting and reschedule for = next year. >=20 > Any comments (if saying yes, please also say why and attach an agenda = item suggestion :))? >=20 > O. > -- > Ond=C5=99ej Sur=C3=BD -- Chief Science Officer > ------------------------------------------- > CZ.NIC, z.s.p.o. -- Laborato=C5=99e CZ.NIC > Americka 23, 120 00 Praha 2, Czech Republic > mailto:ondrej.sury@nic.cz http://nic.cz/ > tel:+420.222745110 fax:+420.222745112 > ------------------------------------------- >=20 > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane -- Ond=C5=99ej Sur=C3=BD -- Chief Science Officer ------------------------------------------- CZ.NIC, z.s.p.o. -- Laborato=C5=99e CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:ondrej.sury@nic.cz http://nic.cz/ tel:+420.222745110 fax:+420.222745112 ------------------------------------------- --Apple-Mail=_F43F04F2-C34A-4800-A750-A8498F7BE3FC Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMKTCCBgYw ggTuoAMCAQICAQIwDQYJKoZIhvcNAQEFBQAwga8xCzAJBgNVBAYTAk5MMSAwHgYDVQQKExdUcnVz dGVkIEludHJvZHVjZXIgKFRJKTEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxMzAx BgNVBAMTKlRydXN0ZWQgSW50cm9kdWNlciAoVEkpIFRvcGxldmVsIENBIC0gRzAwMTEnMCUGCSqG SIb3DQEJARYYY2FAdHJ1c3RlZC1pbnRyb2R1Y2VyLm5sMB4XDTA0MTIwNzEwMzYxN1oXDTMwMTIw NjAwMDAwMFowga0xCzAJBgNVBAYTAk5MMSAwHgYDVQQKExdUcnVzdGVkIEludHJvZHVjZXIgKFRJ KTEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxMTAvBgNVBAMTKFRydXN0ZWQgSW50 cm9kdWNlciAoVEkpIENsaWVudCBDQSAtIEcwMDExJzAlBgkqhkiG9w0BCQEWGGNhQHRydXN0ZWQt aW50cm9kdWNlci5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOKQxMR3KDUpfJBz AhY2BPCByKo9SMp/V0RIboLBD6vO0miSYO9FmP3Q07OKPYR5WdlQyrpKqB1zl0SRz2cDjnYkzvDF vK5kvMvlTYeQlHypQlvhkTsYWD4ZZxxEhAYBb1s7cYaIahLw6H/RZz+kyWTOc9TncPBvBWIQ1Ypo S+uQqpopH8s5ebtB/17SbUty5yXiHoaPh/ScdMKqxbyJiL0YRM6SU4YX4HVZ5YGS9aWuiUSiA0YF 8dCR56nErx67wgq8O1GtsSKKOf/ueUxSmrqwgQNlfM9Or5O8kb61s1O2iACHtixoV3ENanylBafU mRYpNo5tSZsElGfntMoGBy8CAwEAAaOCAiswggInMB0GA1UdDgQWBBSeX93lU8ExaSlN1ZaXxfOP h2iHTjCB3AYDVR0jBIHUMIHRgBRdbehwJx/8iwlxnguJECc7MUXvoqGBtaSBsjCBrzELMAkGA1UE BhMCTkwxIDAeBgNVBAoTF1RydXN0ZWQgSW50cm9kdWNlciAoVEkpMSAwHgYDVQQLExdDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTEzMDEGA1UEAxMqVHJ1c3RlZCBJbnRyb2R1Y2VyIChUSSkgVG9wbGV2 ZWwgQ0EgLSBHMDAxMScwJQYJKoZIhvcNAQkBFhhjYUB0cnVzdGVkLWludHJvZHVjZXIubmyCAQAw DwYDVR0TAQH/BAUwAwEB/zAjBgNVHRIEHDAagRhjYUB0cnVzdGVkLWludHJvZHVjZXIubmwwgasG A1UdHwSBozCBoDBOoEygSoZIaHR0cDovL2NybDEudHJ1c3RlZC1pbnRyb2R1Y2VyLm5sL2NhL3g1 MDkvZzEvZGF0YS9jcmxzL2NybC1yb290LWNhLTEuY3JsME6gTKBKhkhodHRwOi8vY3JsMi50cnVz dGVkLWludHJvZHVjZXIubmwvY2EveDUwOS9nMS9kYXRhL2NybHMvY3JsLXJvb3QtY2EtMS5jcmww IwYDVR0RBBwwGoEYY2FAdHJ1c3RlZC1pbnRyb2R1Y2VyLm5sMAsGA1UdDwQEAwIBBjARBglghkgB hvhCAQEEBAMCAAcwDQYJKoZIhvcNAQEFBQADggEBAI1sC2l8st3ElC74az6gH7tGXSiS7jicpHeI 10A3KY+7OEPT7BAJDpjMXxSvAwU1vBDFfwEAXGj42xAPB6cynOTDn0OiFpYGvi3EZV3khXYkGPLs fxZttUyDKqhXcWYy4nnI3fBxqCgLboJFw6OO/SVj5qQdXMZ7VhyFBWJMQkVOnlt6i3xFkG3O5LMI BDmdL5bZPEe8b6bJkMr+rUYEvorPJmV+CkiewYMaruCbdhwRkpkhXB3qLwB2ppnKxSinAU4f9Rcp p73h8iDVQ9389iliUKomVQqj9NJv2G6SyJdDQdN2vrldLszNpw6t+zIzCjpgQ//kem5BJ1k4YG3L CpAwggYbMIIFA6ADAgECAgIGSDANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCTkwxIDAeBgNV BAoTF1RydXN0ZWQgSW50cm9kdWNlciAoVEkpMSAwHgYDVQQLExdDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eTExMC8GA1UEAxMoVHJ1c3RlZCBJbnRyb2R1Y2VyIChUSSkgQ2xpZW50IENBIC0gRzAwMTEn MCUGCSqGSIb3DQEJARYYY2FAdHJ1c3RlZC1pbnRyb2R1Y2VyLm5sMB4XDTEyMDgwMTA3NTEyNloX DTE0MDgwMTA3NTEyNlowejELMAkGA1UEBhMCTkwxGzAZBgNVBAoTElRydXN0ZWQgSW50cm9kdWNl cjEVMBMGA1UECxMMQ1ouTklDLUNTSVJUMRQwEgYDVQQDEwtPbmRyZWogU3VyeTEhMB8GCSqGSIb3 DQEJARYSb25kcmVqLnN1cnlAbmljLmN6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA xlmN+hSg6RxWm1X6QOI3OXHSAqhRzWGb8ismR2+3LGDS640luS8x4VdWo490Ceqz+BZvMhQJwfny 9mb0IejFpx7kBOM7k2rMfOYUXa/pq07ysWEI8bXDcXRBf2ZcG0B/gajLPFA9MADlCWHSf7cNZF6S XnIHwTn5DowxpbF403NqLWFnTM08wTJkFgGB7WZAtE6KoSigztI39NrtKRsnosZoBMNZS/JG1CLt VdZPvkHVuiVQWEGYgswBEMGXoR7jtzVNhHr2F1atoBICJVGWFNA8fHvQRLAcXWJTXhKxb2uSq9Yp kKaZPZ6rrp88qtemvwVnQKE9r3/iPFeTARY7AQIDAQABo4ICdTCCAnEwDAYDVR0TAQH/BAIwADAd BgNVHQ4EFgQUgizwG0IeMZQlCSduLVeM1zDBdUEwgdwGA1UdIwSB1DCB0YAUnl/d5VPBMWkpTdWW l8Xzj4doh06hgbWkgbIwga8xCzAJBgNVBAYTAk5MMSAwHgYDVQQKExdUcnVzdGVkIEludHJvZHVj ZXIgKFRJKTEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxMzAxBgNVBAMTKlRydXN0 ZWQgSW50cm9kdWNlciAoVEkpIFRvcGxldmVsIENBIC0gRzAwMTEnMCUGCSqGSIb3DQEJARYYY2FA dHJ1c3RlZC1pbnRyb2R1Y2VyLm5sggECMCMGA1UdEgQcMBqBGGNhQHRydXN0ZWQtaW50cm9kdWNl ci5ubDAdBgNVHREEFjAUgRJvbmRyZWouc3VyeUBuaWMuY3owCwYDVR0PBAQDAgSwMCcGA1UdJQQg MB4GCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQwEQYJYIZIAYb4QgEBBAQDAgSwMIHVBgNV HR8Egc0wgcowY6BhoF+GXWh0dHA6Ly9jcmwxLnRydXN0ZWQtaW50cm9kdWNlci5ubC9jYS94NTA5 L2cxL2NhLXNzbC1jbGllbnQvZzEvZGF0YS9jcmxzL2NybC1jbGllbnQtY2EtMS0xLmNybDBjoGGg X4ZdaHR0cDovL2NybDIudHJ1c3RlZC1pbnRyb2R1Y2VyLm5sL2NhL3g1MDkvZzEvY2Etc3NsLWNs aWVudC9nMS9kYXRhL2NybHMvY3JsLWNsaWVudC1jYS0xLTEuY3JsMA0GCSqGSIb3DQEBBQUAA4IB AQAZP/dznHW3BWajBVQ3fTaDsx/3csUE6+jX83r1dgzYjUOmapOzXQVZ2/VTwZTzJSsD7rDgzUN6 sk6YWmUJOwqoEcPasYG9zt9e+bpwc/PURjSowb+WjEE2e4L47x3mPgL0dtlGj4guhRaj247K9N1f grvlyX0h/IL9JO4CN0I5lAuOaZ3Yfl0euHpHLlXZ9czxkc6dCbtGSZwr3RrltNmMjhp0O3D51fDd D6mG1vvOEV9Kj1JfSE2cQI5j3GpMlNleZA6noZ93drs2G9/D7WP4uVLCtJfGmG6PJsy4+qN46qXu ekJR/8WH1aNcH0Ya+JsYrwIFPwL4Cr+JXrbFqUOFMYIDzzCCA8sCAQEwgbQwga0xCzAJBgNVBAYT Ak5MMSAwHgYDVQQKExdUcnVzdGVkIEludHJvZHVjZXIgKFRJKTEgMB4GA1UECxMXQ2VydGlmaWNh dGlvbiBBdXRob3JpdHkxMTAvBgNVBAMTKFRydXN0ZWQgSW50cm9kdWNlciAoVEkpIENsaWVudCBD QSAtIEcwMDExJzAlBgkqhkiG9w0BCQEWGGNhQHRydXN0ZWQtaW50cm9kdWNlci5ubAICBkgwCQYF Kw4DAhoFAKCCAe8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIw OTI0MTMxMDQxWjAjBgkqhkiG9w0BCQQxFgQUikmt4IdkFM87fS6fpXZAkHYcFh4wgcUGCSsGAQQB gjcQBDGBtzCBtDCBrTELMAkGA1UEBhMCTkwxIDAeBgNVBAoTF1RydXN0ZWQgSW50cm9kdWNlciAo VEkpMSAwHgYDVQQLExdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTExMC8GA1UEAxMoVHJ1c3RlZCBJ bnRyb2R1Y2VyIChUSSkgQ2xpZW50IENBIC0gRzAwMTEnMCUGCSqGSIb3DQEJARYYY2FAdHJ1c3Rl ZC1pbnRyb2R1Y2VyLm5sAgIGSDCBxwYLKoZIhvcNAQkQAgsxgbeggbQwga0xCzAJBgNVBAYTAk5M MSAwHgYDVQQKExdUcnVzdGVkIEludHJvZHVjZXIgKFRJKTEgMB4GA1UECxMXQ2VydGlmaWNhdGlv biBBdXRob3JpdHkxMTAvBgNVBAMTKFRydXN0ZWQgSW50cm9kdWNlciAoVEkpIENsaWVudCBDQSAt IEcwMDExJzAlBgkqhkiG9w0BCQEWGGNhQHRydXN0ZWQtaW50cm9kdWNlci5ubAICBkgwDQYJKoZI hvcNAQEBBQAEggEAeL1MML25bj58iYUsmUstZRD2LfVSWPROA4hsPdFnnQnFgzV9PJHtwW0WkqiN PCmQIwOaISDsSX4GOXCOO63VP7zoEs3pU67lWEAUNbbgic7L4mHDLPZbuEnqAv4Ghgj4ozmtVB4q z0eYRflVUA+tEeqbIqAb3mbXtvFYlNE/aTFzAiddpd1rGnivC16vOHkkPL9lZCkZcz991pbMNpXD rILdfPsZp+FAb8YlAbaJWJEarC1L5+7a9UTuFhWW6ACP4dGaCyLj+73vS00jy/HQiXiUM2MjsPjV oOIRvaCzVYlkU7zGr3WTzCiq9CrOBzBmp770b0P9YYMusUlKqoXHjAAAAAAAAA== --Apple-Mail=_F43F04F2-C34A-4800-A750-A8498F7BE3FC-- From rbarnes@bbn.com Mon Sep 24 06:37:24 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8FAD21F8699 for ; Mon, 24 Sep 2012 06:37:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -107.568 X-Spam-Level: X-Spam-Status: No, score=-107.568 tagged_above=-999 required=5 tests=[AWL=1.029, BAYES_00=-2.599, GB_I_LETTER=-2, HS_INDEX_PARAM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P4am5z99sObv for ; Mon, 24 Sep 2012 06:37:23 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 6770121F8688 for ; Mon, 24 Sep 2012 06:37:23 -0700 (PDT) Received: from [128.89.253.48] (port=56937) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TG8qg-000HL0-I1; Mon, 24 Sep 2012 09:37:22 -0400 Date: Mon, 24 Sep 2012 15:37:22 +0200 From: Richard Barnes To: Warren Kumari Message-ID: In-Reply-To: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> X-Mailer: sparrow 1.6.3 (build 1172) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="50606212_3804823e_7b3" Cc: IETF DANE WG list Subject: Re: [dane] Call for Adoption: draft-hoffman-dane-smime. X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 13:37:24 -0000 --50606212_3804823e_7b3 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline In general, I support the idea of what this document is trying to do. Bu= t there are a couple of problems with their concrete approach. Without d= elving into a full review=E2=80=A6 =20 -- The algorithm for domain names is really insufficient. =46or example,= I have the email address ceci.nest.pas.une.adresse=40gmail.com -- how do= the dots get encoded=3F I realize that the DNS wire format allows label= s to have dots, but good luck making most libraries make that query. -- I don't really see why we need a new RR type here, beyond the cognitiv= e dissonance caused by the three letters =22TLS=22. So I guess that's a vote in general favor, but maybe another rev wouldn't= hurt. --Richard -- =20 Richard Barnes Sent with Sparrow (http://www.sparrowmailapp.com/=3Fsig) On =46riday, September 21, 2012 at 7:27 PM, Warren Kumari wrote: > =20 > On Sep 10, 2012, at 5:25 PM, Warren Kumari wrote: > =20 > > Dear WG, > > =20 > > This draft has already revived some comment (and has been revised to = incorporate / address those), so I'm assuming that there will be sufficie= nt interest to adopt, but for the form of the thing: > > =20 > > This starts a call for adoption of draft-hoffman-dane-smime. =20 > > Please provide feedback as to if you would like this draft adopted by= Sept 17th, 2012. > > =20 > =20 > =20 > We have discussed this, and see sufficient interest for adopting this d= raft -- would the authors please re-submit as draft-dane-=3F > =20 > W > =20 > > =20 > > W > > =20 > > -- =20 > > Never criticize a man till you've walked a mile in his shoes. Then if= he didn't like what you've said, he's a mile away and barefoot. =20 > > =20 > =20 > =20 > =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F > dane mailing list > dane=40ietf.org (mailto:dane=40ietf.org) > https://www.ietf.org/mailman/listinfo/dane > =20 > =20 --50606212_3804823e_7b3 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline
In general, I support the idea of what this document = is trying to do.  But there are a couple of problems with their conc= rete approach.  Without delving into a full review=E2=80=A6

-- The algorithm for domain nam= es is really insufficient.  =46or example, I have the email address = ceci.nest.pas.une.adresse=40gmail.com -- how do the dots get encoded=3F &= nbsp;I realize that the DNS wire format allows labels to have dots, but g= ood luck making most libraries make that query.

= -- I don't really see why we need a new RR type here, beyond the cognitiv= e dissonance caused by the three letters =22TLS=22.

<= div>So I guess that's a vote in general favor, but maybe another rev woul= dn't hurt.

--Richard


-- 
Richard Barne= s
Sent with Sparrow

=20

On =46riday, September= 21, 2012 at 7:27 PM, Warren Kumari wrote:


On Sep 10, 2012, = at 5:25 PM, Warren Kumari <= warren=40kumari.net> wrote:

Dear WG,

This draft has alr= eady revived some comment (and has been revised to incorporate / address = those), so I'm assuming that there will be sufficient interest to adopt,= but for the form of the thing:

This starts a ca= ll for adoption of draft-hoffman-dane-smime.
Please provide fe= edback as to if you would like this draft adopted by Sept 17th, 2012.

We have discussed this, and see = sufficient interest for adopting this draft -- would the authors please r= e-submit as draft-dane-=3F

W


W

<= /div>
--
Never criticize a man till you've walked a mile i= n his shoes. Then if he didn't like what you've said, he's a mile away a= nd barefoot.

=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
dane mailin= g list
=20 =20 =20 =20
=20

--50606212_3804823e_7b3-- From miekg@atoom.net Mon Sep 24 06:49:27 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7663321F8629 for ; Mon, 24 Sep 2012 06:49:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.199 X-Spam-Level: X-Spam-Status: No, score=-3.199 tagged_above=-999 required=5 tests=[AWL=1.400, BAYES_00=-2.599, GB_I_LETTER=-2] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u5xxRLfq6eb3 for ; Mon, 24 Sep 2012 06:49:26 -0700 (PDT) Received: from elektron.atoom.net (elektron.atoom.net [85.223.71.124]) by ietfa.amsl.com (Postfix) with ESMTP id 5E09D21F8602 for ; Mon, 24 Sep 2012 06:49:26 -0700 (PDT) Received: by elektron.atoom.net (Postfix, from userid 1000) id 5A7284001D; Mon, 24 Sep 2012 15:49:25 +0200 (CEST) Date: Mon, 24 Sep 2012 15:49:25 +0200 From: Miek Gieben To: dane@ietf.org Message-ID: <20120924134925.GA9495@miek.nl> Mail-Followup-To: dane@ietf.org References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh" Content-Disposition: inline In-Reply-To: User-Agent: Vim/Mutt/Linux X-Home: http://www.miek.nl Subject: Re: [dane] Call for Adoption: draft-hoffman-dane-smime. X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 13:49:27 -0000 --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [ Quoting in "Re: [dane] Call for Adoption: draft..." ] > In general, I support the idea of what this document is trying to do. But > there are a couple of problems with their concrete approach. Without del= ving > into a full review=E2=80=A6 >=20 > -- The algorithm for domain names is really insufficient. For example, I= have > the email address ceci.nest.pas.une.adresse@gmail.com -- how do the dots = get > encoded? I realize that the DNS wire format allows labels to have dots, = but > good luck making most libraries make that query. Huh? Reading from section 3: (http://tools.ietf.org/html/draft-hoffman-dane= -smime-04) Design note: Encoding the user name with Base32 allows local parts that have characters that would prevent their use in domain names. For example, a period (".") is a valid character in a local part, but would wreak havoc in a domain name. Similarly, [RFC6530] allows non- ASCII characters in local parts, and encoding a local part with non- ASCII characters with Base32 renders the name usable in the DNS. > -- I don't really see why we need a new RR type here, beyond the cognitive > dissonance caused by the three letters "TLS". new RRs are cheap. Why not get one? grtz Miek --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlBgZOUACgkQJYuFzziA0PZaPgCaAi3I5O//IcehmWkASGQisQxu 1/sAoOBqLqqZZAfPI/BxJvFfBcQ0lHy5 =q/Gn -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh-- From rbarnes@bbn.com Mon Sep 24 07:17:19 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F3F021F87B4 for ; Mon, 24 Sep 2012 07:17:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -107.662 X-Spam-Level: X-Spam-Status: No, score=-107.662 tagged_above=-999 required=5 tests=[AWL=0.936, BAYES_00=-2.599, GB_I_LETTER=-2, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QrrwKRCizQKq for ; Mon, 24 Sep 2012 07:17:18 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 2F2B421F87B2 for ; Mon, 24 Sep 2012 07:17:18 -0700 (PDT) Received: from [128.89.253.48] (port=57184) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TG9TH-0000Fq-IV; Mon, 24 Sep 2012 10:17:15 -0400 Date: Mon, 24 Sep 2012 16:17:15 +0200 From: Richard Barnes To: Miek Gieben Message-ID: In-Reply-To: <20120924134925.GA9495@miek.nl> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <20120924134925.GA9495@miek.nl> X-Mailer: sparrow 1.6.3 (build 1172) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="50606b6b_23f9c13c_7b3" Cc: dane@ietf.org Subject: Re: [dane] Call for Adoption: draft-hoffman-dane-smime. X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 14:17:19 -0000 --50606b6b_23f9c13c_7b3 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday, September 24, 2012 at 3:49 PM, Miek Gieben wrote: > =5B Quoting in =22Re: =5B= dane=5D Call for Adoption: draft...=22 =5D > > In general, I support the idea of what this document is trying to do.= But > > there are a couple of problems with their concrete approach. Without = delving > > into a full review=E2=80=A6 > > =20 > > -- The algorithm for domain names is really insufficient. =46or examp= le, I have > > the email address ceci.nest.pas.une.adresse=40gmail.com (mailto:ceci.= nest.pas.une.adresse=40gmail.com) -- how do the dots get > > encoded=3F I realize that the DNS wire format allows labels to have d= ots, but > > good luck making most libraries make that query. > > =20 > =20 > =20 > Huh=3F Reading from section 3: (http://tools.ietf.org/html/draft-hoffma= n-dane-smime-04) > =20 Thanks. That's what I get for replying to email under the influence of j= et lag. =20 =20 > =20 > > -- I don't really see why we need a new RR type here, beyond the cogn= itive > > dissonance caused by the three letters =22TLS=22. > > =20 > =20 > =20 > new RRs are cheap. Why not get one=3F Why *would* you=3F The cert/chain matching semantics are the same, the o= nly difference is how you get the cert/chain (S/MIME vs. TLS). =20 New RRs are not *that* cheap. Yes, servers and resolvers usually do let = you provision arbitrary RR types by number, but that's not nearly as nice= as having a real syntax, which takes time to develop and deploy. If you= 've got TLSA and you just need people to look for it in a different place= , why bother going to the effort of making everyone support a new type=3F= --Richard =20 > =20 > grtz Miek > =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F > dane mailing list > dane=40ietf.org (mailto:dane=40ietf.org) > https://www.ietf.org/mailman/listinfo/dane > =20 > =20 --50606b6b_23f9c13c_7b3 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline
On M= onday, September 24, 2012 at 3:49 PM, Miek Gieben wrote:
=5B Quoting <rbarnes=40bbn.com> in =22Re: =5Bdane=5D C= all for Adoption: draft...=22 =5D
In general, I support the idea of what this document is trying to d= o. But
there are a couple of problems with their concrete appr= oach. Without delving
into a full review=E2=80=A6
-- The algorithm for domain names is really insufficient. =46= or example, I have



Thanks.  That's what I get for replying to email und= er the influence of jet lag.  
 
-- I don't really see why we need a new RR type= here, beyond the cognitive
dissonance caused by the three lett= ers =22TLS=22.

new RRs are ch= eap. Why not get one=3F
Why *wo= uld* you=3F  The cert/chain matching semantics are the same, the onl= y difference is how you get the cert/chain (S/MIME vs. TLS).  
=

New RRs are not *that* cheap.  Yes, servers and = resolvers usually do let you provision arbitrary RR types by number, but = that's not nearly as nice as having a real syntax, which takes time to de= velop and deploy.  If you've got TLSA and you just need people to lo= ok for it in a different place, why bother going to the effort of making = everyone support a new type=3F

--Richard


 

grtz Miek
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F
dane mailing list
=20 =20 =20 =20
=20

--50606b6b_23f9c13c_7b3-- From mamille2@cisco.com Mon Sep 24 07:26:09 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A14E321F8793 for ; Mon, 24 Sep 2012 07:26:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -11.508 X-Spam-Level: X-Spam-Status: No, score=-11.508 tagged_above=-999 required=5 tests=[AWL=1.091, BAYES_00=-2.599, GB_I_LETTER=-2, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jd2Mw03kykVC for ; Mon, 24 Sep 2012 07:26:09 -0700 (PDT) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id DD6BE21F878B for ; Mon, 24 Sep 2012 07:26:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5399; q=dns/txt; s=iport; t=1348496769; x=1349706369; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=4phdzMCuwhEGZgREs0dj7MjX2fzIdIwiP1xrOX4RxEw=; b=Ri6w/oOYJsY+Vms5xJyzGGmrLb/CJHiB91FlvFem0VtH48ZOHKMRCSWA lcuKtcjgplPBLeg29b30qzk9kQu0qbB5yynQtFNolJ55AFnmBpEfcnxbj BcaEZH0QtaAkW/Z1t2r/8vz5JFpIdWHuAlxHcQ6FRe+dKa/sHtc1bax3G w=; X-Files: smime.p7s, PGP.sig : 2214, 535 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av8EACttYFCtJXHB/2dsb2JhbABFvj6BCIIgAQEBAwESAQpcBQsCAQgOCicHAjAUEQIEDgUOFIddBpgxn1mLHIVKYAOOa4EghVqOOoFpgmeCFw X-IronPort-AV: E=Sophos;i="4.80,476,1344211200"; d="sig'?p7s'?scan'208";a="124717053" Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-4.cisco.com with ESMTP; 24 Sep 2012 14:26:08 +0000 Received: from xhc-rcd-x12.cisco.com (xhc-rcd-x12.cisco.com [173.37.183.86]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id q8OEQ8sb029683 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 24 Sep 2012 14:26:08 GMT Received: from xmb-aln-x11.cisco.com ([169.254.6.219]) by xhc-rcd-x12.cisco.com ([173.37.183.86]) with mapi id 14.02.0318.001; Mon, 24 Sep 2012 09:26:08 -0500 From: "Matt Miller (mamille2)" To: Richard Barnes Thread-Topic: [dane] Call for Adoption: draft-hoffman-dane-smime. Thread-Index: AQHNmLHKIk0Tzu00CEOWcKpKtd8/jJeZ1eEAgAADXoCAAAfGgIAAAo6A Date: Mon, 24 Sep 2012 14:26:08 +0000 Message-ID: References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <20120924134925.GA9495@miek.nl> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-pgp-agent: GPGMail 1.3.3 x-originating-ip: [64.101.72.40] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19206.004 x-tm-as-result: No--27.981000-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-2-822396445" MIME-Version: 1.0 Cc: "" Subject: Re: [dane] Call for Adoption: draft-hoffman-dane-smime. X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 14:26:09 -0000 --Apple-Mail-2-822396445 Content-Type: multipart/signed; boundary=Apple-Mail-1-822396432; protocol="application/pkcs7-signature"; micalg=sha1 --Apple-Mail-1-822396432 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Sep 24, 2012, at 08:17, Richard Barnes wrote: > On Monday, September 24, 2012 at 3:49 PM, Miek Gieben wrote: >> [ Quoting in "Re: [dane] = Call for Adoption: draft..." ] >>=20 >>> -- I don't really see why we need a new RR type here, beyond the = cognitive >>> dissonance caused by the three letters "TLS". >>>=20 >>=20 >>=20 >> new RRs are cheap. Why not get one? > Why *would* you? The cert/chain matching semantics are the same, the = only difference is how you get the cert/chain (S/MIME vs. TLS). =20 >=20 > New RRs are not *that* cheap. Yes, servers and resolvers usually do = let you provision arbitrary RR types by number, but that's not nearly as = nice as having a real syntax, which takes time to develop and deploy. = If you've got TLSA and you just need people to look for it in a = different place, why bother going to the effort of making everyone = support a new type? >=20 My thoughts exactly. - m&m Matt Miller - Cisco Systems, Inc. --Apple-Mail-1-822396432 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFNTCCBTEw ggMZoAMCAQICAwmYMjANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMDEyMTQxNzQ3MTlaFw0x MjEyMTMxNzQ3MTlaMDwxFzAVBgNVBAMTDk1hdHRoZXcgTWlsbGVyMSEwHwYJKoZIhvcNAQkBFhJt YW1pbGxlMkBjaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7Sh5cQYtd /kfoG3KjXd8i2esxt+BtHCmuiSku2VECC6msLKzA08cGJ31GfyX7+996TV3D5omh51j5fznfFikk cVGsuKe+omo70Aidw48ISGygQk8ZJrU8JVVfTjKVJRX39wgj8w8CI/BCz4kXLirIBWKTv1ARuqsO 7I1aqT7pWHAwlAKIbYYEwfz46OjyzmqknglOecy/1PR09nXwAAIepSo0Jk9edqsU8Pdqsbx8cPUV jlFtVkk+58ORjefl+4BoGrzW24rGG2B04sNPrycNqZEaJLmdk5J9ie/FMV10H8wFW8syomuacPxv NhoUgNnkYsJiO7zJEKUUmbmW1GPFAgMBAAGjgf4wgfswDAYDVR0TAQH/BAIwADBWBglghkgBhvhC AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQgb3ZlciB0byBo dHRwOi8vd3d3LkNBY2VydC5vcmcwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEE AYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB hhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMB0GA1UdEQQWMBSBEm1hbWlsbGUyQGNpc2NvLmNvbTAN BgkqhkiG9w0BAQUFAAOCAgEAoa/WVlTWG/rbVIFlG1tCdJrbVvIWNfUNSgojunKsoaVGCoIh7T1+ SgWe8sV+r7s5bVlq66iGxTm/qoKMHM9i4aNGlwWDkXqLHoCKbY4qKPGKnn7PaoA6DWQ5u7ZKBkn9 N2fY8iLxiAy/hLnjtRLlbSr2yBX0DbO1K0ORLDwfO2MUf1j2Cou+qVvEmyEe7cUq37iOOsNbtghT xjn+RE7WJiHcR9deAkfI1xXi7UZcFME+k6nhdnX/qWFFLox0fJJCzX1H8DTzRIjA+ciNLWSG+TRx s7fAn+YZisJdkGxMcWlHZxSu+ybPjc9T7zCyf4+yFHigdOMNxiQ2k/E9WTJ84xIis2TG3E9Nba9B PMb6cgjiqGxiFpKKHj9/5A3wDIHZ8dof+M7YFGnHzwF9i72ZEoaO3hMEhAg9LhqGtQtEZohbTZL2 FOeT+8VjUHSOKhEYurQjWrHDj+ZyDjzhOE/KMwqSWokZhoy0s+VQ05BrVlbXd5DJaB/Hem0MdDUc /6IjqtI6f8O/HLQFAVUQgtW50bfCjDOAB/SaEKzygblcAHxSKDbduRQaRst6cIHEy4eQxvxrHIhg b2KWZ00jS+7NUnAMOyzIJTcZfV5mkCb8UjMHq9NSChwpBFuDzpXxjU20xJGDvbVWNDwfbITCczph p4uuhLITzvhHKaUNwxoqx0oxggMzMIIDLwIBATCBgDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYD VQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRo b3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZwIDCZgyMAkGBSsOAwIaBQCg ggGHMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEyMDkyNDE0MjYy NFowIwYJKoZIhvcNAQkEMRYEFOuDN0wDBd/CzEbkojXEDhiHnmnhMIGRBgkrBgEEAYI3EAQxgYMw gYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIw IAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0 QGNhY2VydC5vcmcCAwmYMjCBkwYLKoZIhvcNAQkQAgsxgYOggYAweTEQMA4GA1UEChMHUm9vdCBD QTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25p bmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAwmYMjANBgkq hkiG9w0BAQEFAASCAQCMxjbVEGRP5dAYsXv55AtwYhoL2rZYX52DliP6kvXe2IZ5860MRvEg2UF9 6yH4z4HoDNvk07XcnfVm+lekvfPwrkWd+48aqk3DiA5+wBYEgd3PZbv6UP8gVf6x43G9+ejrenh3 mpOmPgp14GUgJN6AuYQyhgjVzYhSuRgNrNIvxM1QYrg+XcsA58C6bAb+i3oFbhjRCwvjUWVM/dgZ 9F38by1sFg4lB/8b9T3PCSeoHppQBjdtwF3Yy2SKix34nZesEV19+iShJlpWG3x703mJR2RWad87 ev9uYit43k7DwLcJW4SQVcLJUlUFb4hueuO47gAa8c6+t38R4hCQF4gCAAAAAAAA --Apple-Mail-1-822396432-- --Apple-Mail-2-822396445 Content-Type: application/pgp-signature; x-mac-type=70674453; name="PGP.sig" Content-Description: This is a digitally signed message part Content-Disposition: inline; filename="PGP.sig" Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJQYG2QAAoJEJq6Ou0cgrSPVUMIAI97myedwC5llBBWIjFDDvJJ 3PhlLA1CLiovGicAq2qRVmx0WPAghkzRmjVPLeG5lGf0mH6U1gu1N7g8umYo3h7j 0b8eVooZ7mWigdGpy+8E+wWN28Q/93qqOAU100ssOolcn1hWtDzJ1I9NKbGIvbIK TcA5qxC2fteUIPVrMZ97y8OXedepFKLhOXMf1xZ0/z+e+k84HN1P2dOT/Qi0eVVQ nYTXAJ5aH/UYju5P4/g7MmELmPmNNbVGyP3X4gqb0+fDcG6LutcycXp+sSlqRH1Y YNZWRIkBPvqZijcuzhingHBXKfBIfIZD8A62GRlbES7yo0kS/rufbqPWlwTA+QU= =gYI1 -----END PGP SIGNATURE----- --Apple-Mail-2-822396445-- From miekg@atoom.net Mon Sep 24 07:27:36 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00FA421F87B5 for ; Mon, 24 Sep 2012 07:27:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.479 X-Spam-Level: X-Spam-Status: No, score=-2.479 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7G3wgVPkyaK2 for ; Mon, 24 Sep 2012 07:27:35 -0700 (PDT) Received: from elektron.atoom.net (elektron.atoom.net [85.223.71.124]) by ietfa.amsl.com (Postfix) with ESMTP id 19A6721F8699 for ; Mon, 24 Sep 2012 07:27:35 -0700 (PDT) Received: by elektron.atoom.net (Postfix, from userid 1000) id E476D3FFE7; Mon, 24 Sep 2012 16:27:32 +0200 (CEST) Date: Mon, 24 Sep 2012 16:27:32 +0200 From: Miek Gieben To: dane@ietf.org Message-ID: <20120924142732.GB9495@miek.nl> Mail-Followup-To: dane@ietf.org References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <20120924134925.GA9495@miek.nl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="i0/AhcQY5QxfSsSZ" Content-Disposition: inline In-Reply-To: User-Agent: Vim/Mutt/Linux X-Home: http://www.miek.nl Subject: Re: [dane] Call for Adoption: draft-hoffman-dane-smime. X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 14:27:36 -0000 --i0/AhcQY5QxfSsSZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [ Quoting in "Re: [dane] Call for Adoption: draft..." ] > New RRs are not *that* cheap. Yes, servers and resolvers usually do let = you > provision arbitrary RR types by number, but that's not nearly as nice as = having > a real syntax, which takes time to develop and deploy. If you've got TLS= A and > you just need people to look for it in a different place, why bother goin= g to > the effort of making everyone support a new type? Fair enough. Looking back in the -00 there is even: 2.2. Format of the Resource Record [[ This will be the same as for TLSA because there is no reason for the two to diverge. Lots of text lifted from the TLSA document. ]] Which would further proof your point about reusing TLSA.=20 But what about other SSL-like protocols (if/when they are defined for DANE use). Should they also re-use TLSA or always use a prefix label? It would be nice to get some kind of constency, either they *all* use TLSA or they *all* use a prefix label. Regards, --=20 Miek Gieben http://mi= ek.nl --i0/AhcQY5QxfSsSZ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlBgbdQACgkQJYuFzziA0PZtAACdF5ykVIX8To1JgVBmKbQ8uyrH ltAAoI7J2nIZTTEuVMP0FVYBPXtyyTn6 =soMp -----END PGP SIGNATURE----- --i0/AhcQY5QxfSsSZ-- From rbarnes@bbn.com Mon Sep 24 07:39:26 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76A7F21F878E for ; Mon, 24 Sep 2012 07:39:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.74 X-Spam-Level: X-Spam-Status: No, score=-106.74 tagged_above=-999 required=5 tests=[AWL=-0.142, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZN18E+bqKzUq for ; Mon, 24 Sep 2012 07:39:26 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id D5CF021F878A for ; Mon, 24 Sep 2012 07:39:25 -0700 (PDT) Received: from [128.89.253.48] (port=57292) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TG9oi-0000Wa-Kj; Mon, 24 Sep 2012 10:39:24 -0400 Date: Mon, 24 Sep 2012 16:39:24 +0200 From: Richard Barnes To: Miek Gieben Message-ID: <8A01227AE22A4EA9BB387AF46A50A74E@bbn.com> In-Reply-To: <20120924142732.GB9495@miek.nl> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <20120924134925.GA9495@miek.nl> <20120924142732.GB9495@miek.nl> X-Mailer: sparrow 1.6.3 (build 1172) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="5060709c_47398c89_7b3" Cc: dane@ietf.org Subject: Re: [dane] Call for Adoption: draft-hoffman-dane-smime. X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 14:39:26 -0000 --5060709c_47398c89_7b3 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline On Monday, September 24, 2012 at 4:27 PM, Miek Gieben wrote: > [ Quoting in "Re: [dane] Call for Adoption: draft..." ] > > New RRs are not *that* cheap. Yes, servers and resolvers usually do let you > > provision arbitrary RR types by number, but that's not nearly as nice as having > > a real syntax, which takes time to develop and deploy. If you've got TLSA and > > you just need people to look for it in a different place, why bother going to > > the effort of making everyone support a new type? > > > > > Fair enough. Looking back in the -00 there is even: > > 2.2. Format of the Resource Record > > [[ This will be the same as for TLSA because there is no reason for > the two to diverge. Lots of text lifted from the TLSA document. ]] > > Which would further proof your point about reusing TLSA. > > But what about other SSL-like protocols (if/when they are defined for DANE > use). Should they also re-use TLSA or always use a prefix label? It would > be nice to get some kind of constency, either they *all* use TLSA or they > *all* use a prefix label. > > There's a saying that goes, "We'll cross that bridge when we come to it." :) Do you have an example of such a protocol? --Richard --5060709c_47398c89_7b3 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline
On M= onday, September 24, 2012 at 4:27 PM, Miek Gieben wrote:
=5B Quoting <rbarnes=40bbn.com> in =22Re: =5Bdane=5D C= all for Adoption: draft...=22 =5D
New RRs are not *that* cheap. Yes, servers and resolvers usually d= o let you
provision arbitrary RR types by number, but that's no= t nearly as nice as having
a real syntax, which takes time to d= evelop and deploy. If you've got TLSA and
you just need people= to look for it in a different place, why bother going to
the e= ffort of making everyone support a new type=3F

=46air enough. Looking back in the -00 there is even:

2.2. =46ormat of the Resource Record
<= br>
=5B=5B This will be the same as for TLSA because there i= s no reason for
the two to diverge. Lots of text lifted fro= m the TLSA document. =5D=5D

Which would further = proof your point about reusing TLSA.

But what a= bout other SSL-like protocols (if/when they are defined for DANE
use). Should they also re-use TLSA or always use a prefix label=3F It w= ould
be nice to get some kind of constency, either they *all* u= se TLSA or they
*all* use a prefix label.
There's a saying that goes, =22We'll cross that brid= ge when we come to it.=22 :)

Do you have an exam= ple of such a protocol=3F

--Richard

--5060709c_47398c89_7b3-- From miekg@atoom.net Mon Sep 24 07:44:08 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90FEE21F86A4 for ; Mon, 24 Sep 2012 07:44:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.499 X-Spam-Level: X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0hsMcD-8tKkV for ; Mon, 24 Sep 2012 07:44:08 -0700 (PDT) Received: from elektron.atoom.net (elektron.atoom.net [85.223.71.124]) by ietfa.amsl.com (Postfix) with ESMTP id CFF6821F869A for ; Mon, 24 Sep 2012 07:44:07 -0700 (PDT) Received: by elektron.atoom.net (Postfix, from userid 1000) id D305C3FE97; Mon, 24 Sep 2012 16:43:59 +0200 (CEST) Date: Mon, 24 Sep 2012 16:43:59 +0200 From: Miek Gieben To: dane@ietf.org Message-ID: <20120924144359.GC9495@miek.nl> Mail-Followup-To: dane@ietf.org References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <20120924134925.GA9495@miek.nl> <20120924142732.GB9495@miek.nl> <8A01227AE22A4EA9BB387AF46A50A74E@bbn.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="aT9PWwzfKXlsBJM1" Content-Disposition: inline In-Reply-To: <8A01227AE22A4EA9BB387AF46A50A74E@bbn.com> User-Agent: Vim/Mutt/Linux X-Home: http://www.miek.nl Subject: Re: [dane] Call for Adoption: draft-hoffman-dane-smime. X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 14:44:08 -0000 --aT9PWwzfKXlsBJM1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [ Quoting in "Re: [dane] Call for Adoption: draft..." ] > There's a saying that goes, "We'll cross that bridge when we come to it."= :) >=20 > Do you have an example of such a protocol? uhm... ftps? Regards, --=20 Miek Gieben http://mi= ek.nl --aT9PWwzfKXlsBJM1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlBgca8ACgkQJYuFzziA0PYxAwCfWtrkeioI+FQ2l7T9fpNcBwgE FogAmwRP9kUvNQwyMyR1Umi+PIcg69MK =X3kd -----END PGP SIGNATURE----- --aT9PWwzfKXlsBJM1-- From rbarnes@bbn.com Mon Sep 24 07:52:07 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 989EF21F87AD for ; Mon, 24 Sep 2012 07:52:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.729 X-Spam-Level: X-Spam-Status: No, score=-106.729 tagged_above=-999 required=5 tests=[AWL=-0.132, BAYES_00=-2.599, HS_INDEX_PARAM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hDQdUkLRVd2e for ; Mon, 24 Sep 2012 07:52:06 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id C366E21F86A8 for ; Mon, 24 Sep 2012 07:52:06 -0700 (PDT) Received: from [128.89.253.48] (port=57368) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TGA10-0000fj-62; Mon, 24 Sep 2012 10:52:06 -0400 Date: Mon, 24 Sep 2012 16:52:05 +0200 From: Richard Barnes To: Miek Gieben Message-ID: <5599DE4BDD364198BB815C08A43B28AD@bbn.com> In-Reply-To: <20120924144359.GC9495@miek.nl> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <20120924134925.GA9495@miek.nl> <20120924142732.GB9495@miek.nl> <8A01227AE22A4EA9BB387AF46A50A74E@bbn.com> <20120924144359.GC9495@miek.nl> X-Mailer: sparrow 1.6.3 (build 1172) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="50607395_51d9c564_7b3" Cc: dane@ietf.org Subject: Re: [dane] Call for Adoption: draft-hoffman-dane-smime. X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 14:52:07 -0000 --50607395_51d9c564_7b3 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline FTPS is FTP over TLS :) Yeah, it does STARTTLS instead of jumping straight in, but it's still TLS. Even supposing there is an example, I don't really see the conflict. The existence of a TLSA record under _port._protocol.example.com doesn't necessarily make any statements about what protocol is running on the indicated port. RFC 6698 says what you do *if* you use TLS, but it doesn't rule out using it for some other protocol. So if your favorite security protocol uses X.509 certificates to authenticate domain names, you can still use it. There is a risk of swapping out protocols, I guess, if an attacker can, say, run a TLS service with a matching cert on the same port. But that doesn't jump out at me as a terribly likely or terribly damaging scenario. -- Richard Barnes Sent with Sparrow (http://www.sparrowmailapp.com/?sig) On Monday, September 24, 2012 at 4:43 PM, Miek Gieben wrote: > [ Quoting in "Re: [dane] Call for Adoption: draft..." ] > > There's a saying that goes, "We'll cross that bridge when we come to it." :) > > > > Do you have an example of such a protocol? > > uhm... ftps? > > > Regards, > > -- > Miek Gieben http://miek.nl > > _______________________________________________ > dane mailing list > dane@ietf.org (mailto:dane@ietf.org) > https://www.ietf.org/mailman/listinfo/dane > > --50607395_51d9c564_7b3 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline
=46TPS is =46TP over TLS :)  

Yeah, it does STARTTLS instead of jumping straight in, but it's st= ill TLS.

Even supposing there is an exam= ple, I don't really see the conflict.  The existence of a TLSA recor= d under =5Fport.=5Fprotocol.example.com doesn't necessarily make any stat= ements about what protocol is running on the indicated port.  R=46C = 6698 says what you do *if* you use TLS, but it doesn't rule out using it = for some other protocol.  So if your favorite security protocol uses= X.509 certificates to authenticate domain names, you can still use it. &= nbsp;

There is a risk of swapping out protocols,= I guess, if an attacker can, say, run a TLS service with a matching cert= on the same port.  But that doesn't jump out at me as a terribly li= kely or terribly damaging scenario.

-- 
Richard Barne= s
Sent with Sparrow

=20

On Monday, September 2= 4, 2012 at 4:43 PM, Miek Gieben wrote:

=5B Quoting <rbarnes=40bbn.com> in =22Re: =5Bdane=5D C= all for Adoption: draft...=22 =5D
There's a saying that goes, =22We'll cross that bridge when we come= to it.=22 :)

Do you have an example of such a p= rotocol=3F

uhm... ftps=3F


Regards,

-= -
Miek Gieben = http://miek.nl
<= div>=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F<= /div>
dane mailing list
<= /div>
=20 =20 =20 =20 =20

--50607395_51d9c564_7b3-- From paul@cypherpunks.ca Mon Sep 24 08:02:30 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0E5821F87B5 for ; Mon, 24 Sep 2012 08:02:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, GB_I_LETTER=-2] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t6fPT93UOgc1 for ; Mon, 24 Sep 2012 08:02:30 -0700 (PDT) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 2B00E21F87AF for ; Mon, 24 Sep 2012 08:02:30 -0700 (PDT) Received: by bofh.nohats.ca (Postfix, from userid 500) id 98B4982A7B; Mon, 24 Sep 2012 11:02:27 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 90A7382A75; Mon, 24 Sep 2012 11:02:27 -0400 (EDT) Date: Mon, 24 Sep 2012 11:02:27 -0400 (EDT) From: Paul Wouters X-X-Sender: paul@bofh.nohats.ca To: Richard Barnes In-Reply-To: Message-ID: References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> User-Agent: Alpine 2.02 (LFD 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Cc: IETF DANE WG list Subject: Re: [dane] Call for Adoption: draft-hoffman-dane-smime. X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 15:02:30 -0000 On Mon, 24 Sep 2012, Richard Barnes wrote: > -- I don't really see why we need a new RR type here, beyond the cognitive dissonance caused by the three letters "TLS". What _port._protocol would one store the SMIME information under? If only we had decided not to use protoport prefixing.... Now we could say, store it _like_ the TLSA record at _smimecert. But technically speaking, that is no longer a TLSA record, which uses _port._protocol prefixing. We'll get more of these type of records, we might as well allocate a new RR for this one too. Paul From rbarnes@bbn.com Mon Sep 24 08:06:11 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFDD721F87C4 for ; Mon, 24 Sep 2012 08:06:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -107.719 X-Spam-Level: X-Spam-Status: No, score=-107.719 tagged_above=-999 required=5 tests=[AWL=0.878, BAYES_00=-2.599, GB_I_LETTER=-2, HS_INDEX_PARAM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DSxHk5ZBClMn for ; Mon, 24 Sep 2012 08:06:11 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 368E021F87BA for ; Mon, 24 Sep 2012 08:06:11 -0700 (PDT) Received: from [128.89.253.48] (port=57412) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TGAEO-0000rf-Uv; Mon, 24 Sep 2012 11:05:57 -0400 Date: Mon, 24 Sep 2012 17:05:56 +0200 From: Richard Barnes To: Paul Wouters Message-ID: <2752740638CF4FA1AA37E7F41A3A9D89@bbn.com> In-Reply-To: References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> X-Mailer: sparrow 1.6.3 (build 1172) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="506076d4_5fb8011c_7b3" Cc: IETF DANE WG list Subject: Re: [dane] Call for Adoption: draft-hoffman-dane-smime. X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 15:06:12 -0000 --506076d4_5fb8011c_7b3 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Oh, I'm totally not objecting to the lhs._smimecert.rhs syntax for this use case. That makes a lot of sense, not least because S/MIME isn't a transport-layer service. I was just saying that in general, I don't really see a need for RR types other than TLSA -- especially because protocols can define their own mechanisms for finding TLSA records. -- Richard Barnes Sent with Sparrow (http://www.sparrowmailapp.com/?sig) On Monday, September 24, 2012 at 5:02 PM, Paul Wouters wrote: > On Mon, 24 Sep 2012, Richard Barnes wrote: > > > -- I don't really see why we need a new RR type here, beyond the cognitive dissonance caused by the three letters "TLS". > > What _port._protocol would one store the SMIME information under? > > If only we had decided not to use protoport prefixing.... > > Now we could say, store it _like_ the TLSA record at _smimecert. But > technically speaking, that is no longer a TLSA record, which > uses _port._protocol prefixing. > > We'll get more of these type of records, we might as well allocate > a new RR for this one too. > > Paul --506076d4_5fb8011c_7b3 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline
Oh, I'm totally not objecting to the lhs.=5Fsmimecer= t.rhs syntax for this use case.  That makes a lot of sense, not leas= t because S/MIME isn't a transport-layer service.  

I was just saying that in general, I don't really see a need for= RR types other than TLSA -- especially because protocols can d= efine their own mechanisms for finding TLSA records.

-- 
Richard Barne= s
Sent with Sparrow

=20

On Monday, September 2= 4, 2012 at 5:02 PM, Paul Wouters wrote:

On Mon, 24 Sep 2012, Richard Bar= nes wrote:

-- I do= n't really see why we need a new RR type here, beyond the cognitive disso= nance caused by the three letters =22TLS=22.

<= /div>
What =5Fport.=5Fprotocol would one store the SMIME information = under=3F

If only we had decided not to use proto= port prefixing....

Now we could say, store it =5F= like=5F the TLSA record at =5Fsmimecert. But
technically speaki= ng, that is no longer a TLSA record, which
uses =5Fport.=5Fprot= ocol prefixing.

We'll get more of these type of = records, we might as well allocate
a new RR for this one too.

Paul
=20 =20 =20 =20
=20

--506076d4_5fb8011c_7b3-- From paul.hoffman@vpnc.org Mon Sep 24 09:52:01 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5473021F8810 for ; Mon, 24 Sep 2012 09:52:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pLXRgX8v-L4t for ; Mon, 24 Sep 2012 09:52:00 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id A178821F880C for ; Mon, 24 Sep 2012 09:52:00 -0700 (PDT) Received: from [10.20.30.108] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q8OGpvI1017370 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Mon, 24 Sep 2012 09:51:58 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) From: Paul Hoffman Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: Date: Mon, 24 Sep 2012 09:51:57 -0700 To: IETF DANE WG list Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) X-Mailer: Apple Mail (2.1498) Subject: [dane] Reusing TLSA X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 16:52:01 -0000 I'm starting this as a new thread because Richard conflated two topics = *and* missed the fact that there is already a WG document. The question becomes what the registration of an RRtype "means". If it = means the bits on the wire of the *response* and their semantics, then I = think the S/MIME document can use the TLSA RRtype. If an RRtype also = means the bits on the wire of the request and response, we can't. Personally, I think that the RRtype is defined just by the bits in the = response, so we could reuse, but others might disagree. --Paul Hoffman= From rbarnes@bbn.com Mon Sep 24 09:55:38 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8466721F880C for ; Mon, 24 Sep 2012 09:55:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.778 X-Spam-Level: X-Spam-Status: No, score=-106.778 tagged_above=-999 required=5 tests=[AWL=-0.181, BAYES_00=-2.599, HS_INDEX_PARAM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sRoN+OkrR77I for ; Mon, 24 Sep 2012 09:55:37 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id A186A21F8807 for ; Mon, 24 Sep 2012 09:55:37 -0700 (PDT) Received: from [128.89.253.48] (port=58289) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TGBwT-000LeU-8i; Mon, 24 Sep 2012 12:55:33 -0400 Date: Mon, 24 Sep 2012 18:55:32 +0200 From: Richard Barnes To: Paul Hoffman Message-ID: In-Reply-To: References: X-Mailer: sparrow 1.6.3 (build 1172) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="50609084_5675ff36_7b3" Cc: IETF DANE WG list Subject: Re: [dane] Reusing TLSA X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 16:55:38 -0000 --50609084_5675ff36_7b3 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Ok, yeah, I am really off today. FWIW, in case it wasn't clear, I am in favor of re-using the TLSA RR type for S/MIME (finding it under a different name). That is, removing Section 5.1 from the WG document, which is mis-named anyway. --Richard -- Richard Barnes Sent with Sparrow (http://www.sparrowmailapp.com/?sig) On Monday, September 24, 2012 at 6:51 PM, Paul Hoffman wrote: > I'm starting this as a new thread because Richard conflated two topics *and* missed the fact that there is already a WG document. > > The question becomes what the registration of an RRtype "means". If it means the bits on the wire of the *response* and their semantics, then I think the S/MIME document can use the TLSA RRtype. If an RRtype also means the bits on the wire of the request and response, we can't. > > Personally, I think that the RRtype is defined just by the bits in the response, so we could reuse, but others might disagree. > > --Paul Hoffman > _______________________________________________ > dane mailing list > dane@ietf.org (mailto:dane@ietf.org) > https://www.ietf.org/mailman/listinfo/dane > > --50609084_5675ff36_7b3 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline
Ok, yeah, I am really off today.

=46WIW, in case it wasn't clear= , I am in favor of re-using the TLSA RR type for S/MIME (finding it under= a different name).   That is, removing Section 5.1 from the WG docu= ment, which is mis-named anyway.

--Richard
=


-- 
Richard Barne= s
Sent with Sparrow

=20

On Monday, September 2= 4, 2012 at 6:51 PM, Paul Hoffman wrote:

I'm starting this as a new threa= d because Richard conflated two topics *and* missed the fact that there i= s already a WG document.

The question becomes wh= at the registration of an RRtype =22means=22. If it means the bits on the= wire of the *response* and their semantics, then I think the S/MIME docu= ment can use the TLSA RRtype. If an RRtype also means the bits on the wir= e of the request and response, we can't.

Persona= lly, I think that the RRtype is defined just by the bits in the response,= so we could reuse, but others might disagree.

-= -Paul Hoffman
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F
dane mailing list
 =20 =20 =20 =20
=20

--50609084_5675ff36_7b3-- From cloos@jhcloos.com Mon Sep 24 10:05:38 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C76821F8821 for ; Mon, 24 Sep 2012 10:05:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id asfW1MCklMP4 for ; Mon, 24 Sep 2012 10:05:37 -0700 (PDT) Received: from eagle.jhcloos.com (eagle.jhcloos.com [IPv6:2001:1938:12d::53]) by ietfa.amsl.com (Postfix) with ESMTP id 8786B21F8826 for ; Mon, 24 Sep 2012 10:05:37 -0700 (PDT) Received: by eagle.jhcloos.com (Postfix, from userid 10) id 345A64012D; Mon, 24 Sep 2012 17:05:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=eagle; t=1348506336; bh=PKxT0pXMbkOoD7fM7Wm4a2bbpGioeeX1lRnjlJKIjNc=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=Ym/sOsdI0vuFBX4mVqCz9Y2OwVikZuGashxGFuV6WOdsYSaD0Ynh75Q9EZiXxc/aQ GiPHFxdOvRTIv6ED/W0w0q1lbRqWZhu//jxHvVhHWcWQoqZ/kfk+8QZiu0ABcWPzL0 XBfmWn2bzXMAV5wnQM2w9jmkPuA/YZ0v/NreNS0c= Received: by carbon.jhcloos.org (Postfix, from userid 500) id 4439940056; Mon, 24 Sep 2012 16:38:55 +0000 (UTC) From: James Cloos To: IETF DANE WG list In-Reply-To: (Paul Wouters's message of "Mon, 24 Sep 2012 11:02:27 -0400 (EDT)") References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> User-Agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.2.50 (gnu/linux) Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAgMAAABinRfyAAAACVBMVEX///8ZGXBQKKnCrDQ3 AAAAJElEQVQImWNgQAAXzwQg4SKASgAlXIEEiwsSIYBEcLaAtMEAADJnB+kKcKioAAAAAElFTkSu QmCC Copyright: Copyright 2012 James Cloos OpenPGP: ED7DAEA6; url=http://jhcloos.com/public_key/0xED7DAEA6.asc OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Date: Mon, 24 Sep 2012 12:38:55 -0400 Message-ID: Lines: 40 MIME-Version: 1.0 Content-Type: text/plain X-Hashcash: 1:30:120924:dane@ietf.org::sHT3NdkiHGzmhVPx:000OC613 X-Hashcash: 1:30:120924:paul@cypherpunks.ca::pr5IW9R91DlA/E97:00000000000000000000000000000000000000000/eO/A X-Hashcash: 1:30:120924:rbarnes@bbn.com::AuonCJL1CNs/SDcC:0FQZoB Subject: Re: [dane] Call for Adoption: draft-hoffman-dane-smime. X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 17:05:38 -0000 >>>>> "PW" == Paul Wouters writes: PW> If only we had decided not to use protoport prefixing.... What does that have to do with anything? :/ An RR is defined by its wire format. A TLSA RR is still a TLSA RR no matter where it happens to be in the DNS. Just like any other RR. Eg: foo.example.org in ptr bar is still a PTR RR. No matter how unlikely it should be that anyone might dig(1) it. It occurs to me that what we really need is a spec for how to find *any* tls cert association to a label which looks like an email address. Ie, has a right-hand-part which looks like -- and can been looked up like -- a hostname, a left-hand-part which is contrained only by lenght and an ascii '@' separating the two. This covers all of the typical client certs, whether for interacting with a TLS server, email, code-signing or anything else which might use email-like labeling. An smime-specific draft could then reference the more general spec. We'd need to specify something more general than _smimecert. And it shouldn't have 'client' in the name, either. There is no reason to presume that a foo@bar label implies the concept of 'client'. Maybe '_at'? That would make my primary email address look like: mnwg633t._at.jhcloos.com Nice, generic, and suitable for all such usage. -JimC -- James Cloos OpenPGP: 1024D/ED7DAEA6 From mamille2@cisco.com Mon Sep 24 10:06:57 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC01F21E8045 for ; Mon, 24 Sep 2012 10:06:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.689 X-Spam-Level: X-Spam-Status: No, score=-10.689 tagged_above=-999 required=5 tests=[AWL=-0.090, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yTmLkqA9VGHA for ; Mon, 24 Sep 2012 10:06:56 -0700 (PDT) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id B381721F8822 for ; Mon, 24 Sep 2012 10:06:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5214; q=dns/txt; s=iport; t=1348506407; x=1349716007; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=ESfcaIsI+V3GBtcf6gSpgJSdJ9VT3ZJF6Evd+57QxQo=; b=PoqeACcy0o64yhDv0LzVeCkMKIKoxpHIXT9td6u43dQsqhr+nikBJPsU yJ5exc8fDwN2i9jYG1cCOqqPb0Ivkfo6oTaWhoeGxaUPl9EMZajdg/z4F O84uQrWWXSklIyL/iA6uBI9oKRxskGZmdXyeq0NYLW+DOUIh9u31ra6rv E=; X-Files: smime.p7s, PGP.sig : 2214, 535 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ai4FAIGRYFCtJV2b/2dsb2JhbABFhUS4e4EIgiABAQEDARIBZgULAgEIRgIwJQIEDgUOFIddBphin2iLHIVKYAOOa4EghVqOOoFpgmeCFw X-IronPort-AV: E=Sophos;i="4.80,476,1344211200"; d="sig'?p7s'?scan'208";a="124745668" Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-6.cisco.com with ESMTP; 24 Sep 2012 17:06:47 +0000 Received: from xhc-aln-x11.cisco.com (xhc-aln-x11.cisco.com [173.36.12.85]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id q8OH6l0E010308 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 24 Sep 2012 17:06:47 GMT Received: from xmb-aln-x11.cisco.com ([169.254.6.219]) by xhc-aln-x11.cisco.com ([173.36.12.85]) with mapi id 14.02.0298.004; Mon, 24 Sep 2012 12:06:46 -0500 From: "Matt Miller (mamille2)" To: Paul Hoffman Thread-Topic: [dane] Reusing TLSA Thread-Index: AQHNmnTvQD2x62iAGE2dgNir0RNHUpeaDO6A Date: Mon, 24 Sep 2012 17:06:46 +0000 Message-ID: <91558793-B9DC-4FB4-8717-078F0A64430B@cisco.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-pgp-agent: GPGMail 1.3.3 x-originating-ip: [64.101.72.40] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19206.004 x-tm-as-result: No--34.561000-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-6-832034395" MIME-Version: 1.0 Cc: IETF DANE WG list Subject: Re: [dane] Reusing TLSA X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 17:06:58 -0000 --Apple-Mail-6-832034395 Content-Type: multipart/signed; boundary=Apple-Mail-5-832034393; protocol="application/pkcs7-signature"; micalg=sha1 --Apple-Mail-5-832034393 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Sep 24, 2012, at 10:51, Paul Hoffman wrote: > I'm starting this as a new thread because Richard conflated two topics = *and* missed the fact that there is already a WG document. >=20 > The question becomes what the registration of an RRtype "means". If it = means the bits on the wire of the *response* and their semantics, then I = think the S/MIME document can use the TLSA RRtype. If an RRtype also = means the bits on the wire of the request and response, we can't. >=20 > Personally, I think that the RRtype is defined just by the bits in the = response, so we could reuse, but others might disagree. >=20 In my naivete, I've interpreted the RRType to define the bits in the = response. Which explains why I've been confused why = draft-hoffman-dane-smime can't re-use TLSA. - m&m Matt Miller - Cisco Systems, Inc. --Apple-Mail-5-832034393 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFNTCCBTEw ggMZoAMCAQICAwmYMjANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xMDEyMTQxNzQ3MTlaFw0x MjEyMTMxNzQ3MTlaMDwxFzAVBgNVBAMTDk1hdHRoZXcgTWlsbGVyMSEwHwYJKoZIhvcNAQkBFhJt YW1pbGxlMkBjaXNjby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7Sh5cQYtd /kfoG3KjXd8i2esxt+BtHCmuiSku2VECC6msLKzA08cGJ31GfyX7+996TV3D5omh51j5fznfFikk cVGsuKe+omo70Aidw48ISGygQk8ZJrU8JVVfTjKVJRX39wgj8w8CI/BCz4kXLirIBWKTv1ARuqsO 7I1aqT7pWHAwlAKIbYYEwfz46OjyzmqknglOecy/1PR09nXwAAIepSo0Jk9edqsU8Pdqsbx8cPUV jlFtVkk+58ORjefl+4BoGrzW24rGG2B04sNPrycNqZEaJLmdk5J9ie/FMV10H8wFW8syomuacPxv NhoUgNnkYsJiO7zJEKUUmbmW1GPFAgMBAAGjgf4wgfswDAYDVR0TAQH/BAIwADBWBglghkgBhvhC AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQgb3ZlciB0byBo dHRwOi8vd3d3LkNBY2VydC5vcmcwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEE AYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB hhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMB0GA1UdEQQWMBSBEm1hbWlsbGUyQGNpc2NvLmNvbTAN BgkqhkiG9w0BAQUFAAOCAgEAoa/WVlTWG/rbVIFlG1tCdJrbVvIWNfUNSgojunKsoaVGCoIh7T1+ SgWe8sV+r7s5bVlq66iGxTm/qoKMHM9i4aNGlwWDkXqLHoCKbY4qKPGKnn7PaoA6DWQ5u7ZKBkn9 N2fY8iLxiAy/hLnjtRLlbSr2yBX0DbO1K0ORLDwfO2MUf1j2Cou+qVvEmyEe7cUq37iOOsNbtghT xjn+RE7WJiHcR9deAkfI1xXi7UZcFME+k6nhdnX/qWFFLox0fJJCzX1H8DTzRIjA+ciNLWSG+TRx s7fAn+YZisJdkGxMcWlHZxSu+ybPjc9T7zCyf4+yFHigdOMNxiQ2k/E9WTJ84xIis2TG3E9Nba9B PMb6cgjiqGxiFpKKHj9/5A3wDIHZ8dof+M7YFGnHzwF9i72ZEoaO3hMEhAg9LhqGtQtEZohbTZL2 FOeT+8VjUHSOKhEYurQjWrHDj+ZyDjzhOE/KMwqSWokZhoy0s+VQ05BrVlbXd5DJaB/Hem0MdDUc /6IjqtI6f8O/HLQFAVUQgtW50bfCjDOAB/SaEKzygblcAHxSKDbduRQaRst6cIHEy4eQxvxrHIhg b2KWZ00jS+7NUnAMOyzIJTcZfV5mkCb8UjMHq9NSChwpBFuDzpXxjU20xJGDvbVWNDwfbITCczph p4uuhLITzvhHKaUNwxoqx0oxggMzMIIDLwIBATCBgDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYD VQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRo b3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZwIDCZgyMAkGBSsOAwIaBQCg ggGHMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEyMDkyNDE3MDcw MlowIwYJKoZIhvcNAQkEMRYEFNgtv6a+7xH+ysWLMaFENBmOg8h3MIGRBgkrBgEEAYI3EAQxgYMw gYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIw IAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0 QGNhY2VydC5vcmcCAwmYMjCBkwYLKoZIhvcNAQkQAgsxgYOggYAweTEQMA4GA1UEChMHUm9vdCBD QTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25p bmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcCAwmYMjANBgkq hkiG9w0BAQEFAASCAQCTXr8f7bDy+Pxbgq4eDQ5O2sfBvP4SLMza87jg1Ty2MLubd8Po8LNY8hmO K1tElcEPeULBRbOO4GZ8u9Qo74IO7z9ecxbLo5dfWMblc9HGPlovCxKde3alSmy10eXjXDgIjjNX yLEtKLM67Vx7aZn7BhPCGL29B5ZV2/bbxfAoFYDugxGaQpJNFU4icte7vhKoimYNhrwC1rwfvSJN DLUrVsIoGl9NIXlp0px4B2Gw2hQjWfB42N3G0SFcasDtr2yfH2Pez+LlGPN4I5EUwRPCQ7oKPbOM aFhsm/g1qci6x4ekGrMY+4IUpaonv0z0iD/VyT6VYGEBFWFLoohvkuD9AAAAAAAA --Apple-Mail-5-832034393-- --Apple-Mail-6-832034395 Content-Type: application/pgp-signature; x-mac-type=70674453; name="PGP.sig" Content-Description: This is a digitally signed message part Content-Disposition: inline; filename="PGP.sig" Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJQYJM2AAoJEJq6Ou0cgrSPN20IALnthTo3JiJjlsoMNJOb2lhx yf51pa5Hj/H+TKQ7sXX4Z0MmPh5Tl4pVYQjsKEWaXAD0b87Lgkdn0e1AH9g11L0X p3xwgO8I8jwWEEF/76WQEp1R1no5kL1kvVrM6QsV05yZQolqdigR67iv4brqGlBk KrLAphzGYSQ9BsEb8KGm4FWlZ1U+Te79kC5C/sCMPKhbfJ1jcQNSsr6AKAm1EZif itFconY+8Ue9o6Ssrd/S8+em4VHgeHrOrED71s9a1f2if6DyNJhDcU7sblEFw0HX XZCPCD34lgStqvFDakgVTN/G3PdxG7osEY9axZsyqSC/30TVaukWmuvyahhmiJ4= =obYC -----END PGP SIGNATURE----- --Apple-Mail-6-832034395-- From miekg@atoom.net Mon Sep 24 10:12:49 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4758D21F8821 for ; Mon, 24 Sep 2012 10:12:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.513 X-Spam-Level: X-Spam-Status: No, score=-2.513 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 37il3YRRf8Yy for ; Mon, 24 Sep 2012 10:12:48 -0700 (PDT) Received: from elektron.atoom.net (elektron.atoom.net [85.223.71.124]) by ietfa.amsl.com (Postfix) with ESMTP id 764D221F8829 for ; Mon, 24 Sep 2012 10:12:48 -0700 (PDT) Received: by elektron.atoom.net (Postfix, from userid 1000) id 01C6A3FFE7; Mon, 24 Sep 2012 19:12:46 +0200 (CEST) Date: Mon, 24 Sep 2012 19:12:46 +0200 From: Miek Gieben To: dane@ietf.org Message-ID: <20120924171246.GB7802@miek.nl> Mail-Followup-To: dane@ietf.org References: <91558793-B9DC-4FB4-8717-078F0A64430B@cisco.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="O5XBE6gyVG5Rl6Rj" Content-Disposition: inline In-Reply-To: <91558793-B9DC-4FB4-8717-078F0A64430B@cisco.com> User-Agent: Vim/Mutt/Linux X-Home: http://www.miek.nl Subject: Re: [dane] Reusing TLSA X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 17:12:49 -0000 --O5XBE6gyVG5Rl6Rj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [ Quoting in "Re: [dane] Reusing TLSA..." ] > > The question becomes what the registration of an RRtype "means". If it = means the bits on the wire of the *response* and their semantics, then I th= ink the S/MIME document can use the TLSA RRtype. If an RRtype also means th= e bits on the wire of the request and response, we can't. > >=20 > > Personally, I think that the RRtype is defined just by the bits in the = response, so we could reuse, but others might disagree. > >=20 >=20 > In my naivete, I've interpreted the RRType to define the bits in the resp= onse. Which explains why I've been confused why draft-hoffman-dane-smime c= an't re-use TLSA. The question does not even have the rdata part. To me it looks if we are in violent agreement: re-use TLSA in dane-smime. Regards, --=20 Miek Gieben http://mi= ek.nl --O5XBE6gyVG5Rl6Rj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlBglI4ACgkQJYuFzziA0PYsoACdHeu7Cw8PMhYMeR/PGHS5fu8I wrAAoPmUBo3+ZLJrKLjob8N6JJUMecQ9 =2zQc -----END PGP SIGNATURE----- --O5XBE6gyVG5Rl6Rj-- From ogud@ogud.com Mon Sep 24 10:36:15 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD4C221F8822 for ; Mon, 24 Sep 2012 10:36:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.599 X-Spam-Level: X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3sjKa6efjXMk for ; Mon, 24 Sep 2012 10:36:15 -0700 (PDT) Received: from smtp134.iad.emailsrvr.com (smtp134.iad.emailsrvr.com [207.97.245.134]) by ietfa.amsl.com (Postfix) with ESMTP id 4C6E121F8806 for ; Mon, 24 Sep 2012 10:36:15 -0700 (PDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp43.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id AD4D22D0C33 for ; Mon, 24 Sep 2012 13:36:14 -0400 (EDT) X-Virus-Scanned: OK Received: by smtp43.relay.iad1a.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id 8BD732D0C2A for ; Mon, 24 Sep 2012 13:36:13 -0400 (EDT) Message-ID: <50609A03.1050507@ogud.com> Date: Mon, 24 Sep 2012 13:36:03 -0400 From: Olafur Gudmundsson User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20120907 Thunderbird/15.0.1 MIME-Version: 1.0 To: dane@ietf.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [dane] Reusing TLSA X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 17:36:15 -0000 On 24/09/2012 12:51, Paul Hoffman wrote: > I'm starting this as a new thread because Richard conflated two > topics *and* missed the fact that there is already a WG document. > > The question becomes what the registration of an RRtype "means". If > it means the bits on the wire of the *response* and their semantics, > then I think the S/MIME document can use the TLSA RRtype. If an > RRtype also means the bits on the wire of the request and response, > we can't. > > Personally, I think that the RRtype is defined just by the bits in > the response, so we could reuse, but others might disagree. > > --Paul Hoffman > There are are two parts to TLSA reuse. 1) the RDATA format 2) The registries created for TLSA RR fields. a) TLSA Certificate Usages b) TLSA Selectors c) TLSA Matching Types Reuse of the TLSA format under another name can specify a different set of registries to use for the different fields. Reuse of TLSA RR by a protocol means subscribing to supporting new entries in the above registries and even allowing new entries in there that only make sense in one context. Current draft is silent on registry usage, which I take to mean that the TLSA registries are shared/inherited. Having said this I'm not sure if I care if TLSA is used or SMIMEA. PaulW, there is nothing in RFC6698 that says that NON-TLS uses of TLSA MUST use the same naming schema as TLS uses. Olafur From marka@isc.org Mon Sep 24 14:48:54 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FE2D1F0C5C for ; Mon, 24 Sep 2012 14:48:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.516 X-Spam-Level: X-Spam-Status: No, score=-3.516 tagged_above=-999 required=5 tests=[AWL=1.083, BAYES_00=-2.599, GB_I_LETTER=-2] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jlS1JOJf9esi for ; Mon, 24 Sep 2012 14:48:53 -0700 (PDT) Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 8CBF01F041D for ; Mon, 24 Sep 2012 14:48:53 -0700 (PDT) Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id B1F515F98ED; Mon, 24 Sep 2012 21:48:43 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (c211-30-172-21.carlnfd1.nsw.optusnet.com.au [211.30.172.21]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 03522216C3B; Mon, 24 Sep 2012 21:48:42 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id A80A0279A638; Tue, 25 Sep 2012 07:48:38 +1000 (EST) To: Richard Barnes From: Mark Andrews References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> In-reply-to: Your message of "Mon, 24 Sep 2012 15:37:22 +0200." Date: Tue, 25 Sep 2012 07:48:38 +1000 Message-Id: <20120924214838.A80A0279A638@drugs.dv.isc.org> Cc: IETF DANE WG list Subject: Re: [dane] Call for Adoption: draft-hoffman-dane-smime. X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 21:48:54 -0000 In message , Richard Barnes writes: > > In general, I support the idea of what this document is trying to do. Bu= > t there are a couple of problems with their concrete approach. Without d= > elving into a full review=E2=80=A6 =20 > > -- The algorithm for domain names is really insufficient. =46or example,= > I have the email address ceci.nest.pas.une.adresse=40gmail.com -- how do= > the dots get encoded=3F I realize that the DNS wire format allows label= > s to have dots, but good luck making most libraries make that query. The standard presentation format is ceci\.nest\.pas\.une\.adresse.gmail.com and yes most tools/libraries that handle domain names will handle this fine. You can also encode the period as "\046". There may be some broken tools that take 'LHS@RHS' and turn it into 'LHS.RHS' without escaping the periods but this really isn't hard to get correct. This is also a 1/4 century old encoding so there is no excuse for any application to get this wrong. % dig 'ceci\.nest\.pas\.une\046adresse.gmail.com' ; <<>> DiG 9.9.2rc1 <<>> ceci\.nest\.pas\.une\046adresse.gmail.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6886 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ceci\.nest\.pas\.une\.adresse.gmail.com. IN A ;; AUTHORITY SECTION: gmail.com. 60 IN SOA ns1.google.com. dns-admin.google.com. 1498358 21600 3600 1209600 300 ;; Query time: 690 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Sep 25 07:41:24 2012 ;; MSG SIZE rcvd: 121 % > -- I don't really see why we need a new RR type here, beyond the cognitiv= > e dissonance caused by the three letters =22TLS=22. > > So I guess that's a vote in general favor, but maybe another rev wouldn't= > hurt. > > --Richard -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From marka@isc.org Mon Sep 24 14:55:31 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEA4B21F88A7 for ; Mon, 24 Sep 2012 14:55:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z+64UJT7+Sx8 for ; Mon, 24 Sep 2012 14:55:31 -0700 (PDT) Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 220DE21F88A3 for ; Mon, 24 Sep 2012 14:55:31 -0700 (PDT) Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id 012515F9965; Mon, 24 Sep 2012 21:55:17 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:fda0:3de8:8abc:999b]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 0748F216C3D; Mon, 24 Sep 2012 21:55:16 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 937F7279A80C; Tue, 25 Sep 2012 07:55:13 +1000 (EST) To: James Cloos From: Mark Andrews References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> In-reply-to: Your message of "Mon, 24 Sep 2012 12:38:55 -0400." Date: Tue, 25 Sep 2012 07:55:13 +1000 Message-Id: <20120924215513.937F7279A80C@drugs.dv.isc.org> Cc: IETF DANE WG list Subject: Re: [dane] Call for Adoption: draft-hoffman-dane-smime. X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 21:55:31 -0000 In message , James Cloos writes: > >>>>> "PW" == Paul Wouters writes: > > PW> If only we had decided not to use protoport prefixing.... > > What does that have to do with anything? :/ > > An RR is defined by its wire format. A TLSA RR is still a TLSA RR no > matter where it happens to be in the DNS. > > Just like any other RR. Eg: > > foo.example.org in ptr bar > > is still a PTR RR. No matter how unlikely it should be that anyone > might dig(1) it. Well a PTR record is a record that points to another domain name but is not follow when looked up unlike a CNAME. It was defined for use anywhere in the DNS not just in the IN-ADDR.ARPA tree. So while your conclusion is correct your argument is invalid. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From fanf2@hermes.cam.ac.uk Mon Sep 24 16:32:25 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAC941F0C3A for ; Mon, 24 Sep 2012 16:32:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.05 X-Spam-Level: X-Spam-Status: No, score=-6.05 tagged_above=-999 required=5 tests=[AWL=0.549, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pt0pxjXt8Bno for ; Mon, 24 Sep 2012 16:32:25 -0700 (PDT) Received: from ppsw-51.csi.cam.ac.uk (ppsw-51.csi.cam.ac.uk [131.111.8.151]) by ietfa.amsl.com (Postfix) with ESMTP id 02B7C1F041D for ; Mon, 24 Sep 2012 16:32:24 -0700 (PDT) X-Cam-AntiVirus: no malware found X-Cam-SpamDetails: not scanned X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/ Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:35339) by ppsw-51.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.158]:25) with esmtpa (EXTERNAL:fanf2) id 1TGI8U-0000SR-Y6 (Exim 4.72) (return-path ); Tue, 25 Sep 2012 00:32:22 +0100 Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1TGI8U-00074Z-Hg (Exim 4.72) (return-path ); Tue, 25 Sep 2012 00:32:22 +0100 Date: Tue, 25 Sep 2012 00:32:22 +0100 From: Tony Finch X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk To: Olafur Gudmundsson In-Reply-To: <50609A03.1050507@ogud.com> Message-ID: References: <50609A03.1050507@ogud.com> User-Agent: Alpine 2.00 (LSU 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Tony Finch Cc: dane@ietf.org Subject: Re: [dane] Reusing TLSA X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2012 23:32:26 -0000 Olafur Gudmundsson wrote: > > There are are two parts to TLSA reuse. > > 1) the RDATA format > 2) The registries created for TLSA RR fields. > a) TLSA Certificate Usages > b) TLSA Selectors > c) TLSA Matching Types There are a few other semantics-related questions: * Would sharing an RRtype lead to the DNS returning too much irrelevant data in response to queries? In this case not, because we are using prefixed labels to disambiguate. * Would sharing an RRtype lead to useful code sharing between S/MIME and TLS implementations? > Reuse of TLSA RR by a protocol means subscribing to supporting new > entries in the above registries and even allowing new entries in there > that only make sense in one context. TLS is about authenticating peers. S/MIME is about encryption as well as verifying signatures. So I would expect TLS records to be more about digests of certificates (for brevity) whereas S/MIME records to contain public keys or entire certs. Tony. -- f.anthony.n.finch http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. From henry.story@bblfish.net Tue Sep 25 00:21:57 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9364E21F879F for ; Tue, 25 Sep 2012 00:21:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fsjiJHnB2Huz for ; Tue, 25 Sep 2012 00:21:56 -0700 (PDT) Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by ietfa.amsl.com (Postfix) with ESMTP id 906B621F86D3 for ; Tue, 25 Sep 2012 00:21:56 -0700 (PDT) Received: by wibhq12 with SMTP id hq12so2231724wib.13 for ; Tue, 25 Sep 2012 00:21:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=aTMNlQoBn2vBisuuPE5XnLQBeZGP/HC2ixoAoOSd9NE=; b=TUkJeHQdFw5pqWAY2QRJCr1oLHx6WhtFcEmKcHAmLYmZyFuDGOxlZC1StIhQTqUfBt x0xO7u2TCsCaOLD9Cv+grwOS9eYgPMsufAIexoXxlQQowuIz8BYb1DbjLITrQZpZbdTy YTTwhRAUhhmo4XLhpr4bAOFwdyzys/UyB0E0Yh9HyV1IibTUrcbYrMs/bOS1gPN834Vx OZovx7ciOml3pmUOiVFs+QBJBo0Qwi1KzwXNe71nQiokets5E5+XWna47SddymmW1LFj qW9CP1MSbNUg8yH8S+w8AwPtorUeXlUd5Df8I7V6JMCN/MF+TLukdgTtWd2Ef94WVmUj BVpw== Received: by 10.180.105.130 with SMTP id gm2mr19688876wib.6.1348557715531; Tue, 25 Sep 2012 00:21:55 -0700 (PDT) Received: from bblfish.home (AAubervilliers-651-1-165-173.w81-249.abo.wanadoo.fr. [81.249.236.173]) by mx.google.com with ESMTPS id dm3sm21372129wib.3.2012.09.25.00.21.51 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 25 Sep 2012 00:21:54 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: Henry Story In-Reply-To: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> Date: Tue, 25 Sep 2012 09:21:49 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> To: Warren Kumari , "public-webid@w3.org" X-Mailer: Apple Mail (2.1498) X-Gm-Message-State: ALoCoQngtZ2XSm3aFpd5kbw8xsfpdrMote6M4/uxbdRsdBYQtU/ik57p7qMZ48aFiAZnLbHZDH7s Cc: IETF DANE WG list Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 07:21:57 -0000 Ref: http://tools.ietf.org/html/draft-hoffman-dane-smime-04 On 21 Sep 2012, at 19:27, Warren Kumari wrote: >=20 > On Sep 10, 2012, at 5:25 PM, Warren Kumari wrote: >=20 >> Dear WG, >>=20 >> This draft has already revived some comment (and has been revised to = incorporate / address those), so I'm assuming that there will be = sufficient interest to adopt, but for the form of the thing: >>=20 >> This starts a call for adoption of draft-hoffman-dane-smime.=20 >> Please provide feedback as to if you would like this draft adopted by = Sept 17th, 2012. >=20 > We have discussed this, and see sufficient interest for adopting this = draft -- would the authors please re-submit as draft-dane-? On the whole, my view is that associating a public key to a user is = better done by WebID http://webid.info/ ( see spec = http://webid.info/spec/ ). Putting that information in the DNS misses = out on a lot of other information you would like to have about a user, = is difficult to read, write, and on the whole is very cumbersome. The = reason for putting public keys of servers in the DNS is that servers = tend not to change that much, their tend to not be that many services = per domain, etc... There are proposals of using the WebID public keys for MIME on the WebID = community group. Henry >=20 > W >=20 >>=20 >> W >>=20 >> --=20 >> Never criticize a man till you've walked a mile in his shoes. Then = if he didn't like what you've said, he's a mile away and barefoot.=20 >>=20 >>=20 >>=20 >=20 > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane Social Web Architect http://bblfish.net/ From henry.story@bblfish.net Tue Sep 25 01:14:06 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEADA21F8939 for ; Tue, 25 Sep 2012 01:14:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YFcobvHIxGk9 for ; Tue, 25 Sep 2012 01:14:05 -0700 (PDT) Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id C08E021F893E for ; Tue, 25 Sep 2012 01:14:02 -0700 (PDT) Received: by weyu46 with SMTP id u46so1374473wey.31 for ; Tue, 25 Sep 2012 01:14:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:message-id:date :to:mime-version:x-mailer:x-gm-message-state; bh=w3jIcAM4HmA4OAmYmzyIVB2igf6E0xi3gn/0mlDS2DI=; b=RFtQvmU1YrM8FgTTJhUXI/9d7j+tzmzN1DFMB6hBLL2E8ErCFP4UvHxxNv/HyxRUlq oJQgmrABdcAyW+Ei6ZkyvJ3xI+iQ14l/sp2YfPmnsnGciaUFZezMFJItQaAx3k86CfQW j8mh9Jz01+Eq8w7BJt1cjXP43uNuMwOwoKEhvqXlrnOuTiRDEfbAecYgqRGrVR5X3aTW oHHymEwF9CEPXcH+9a293vck7GHeqbrAgnxpGoxgvcbePywjpQVyyql4DC0P6AfGujyw Mu1plIaoaE7lf4BgZ+YtQqmP5+qYpoYP3D2VI70Qy+bsYNuf/4Kw/eBgxpK1bZ2sji6X IPzw== Received: by 10.216.99.199 with SMTP id x49mr9268603wef.171.1348560841918; Tue, 25 Sep 2012 01:14:01 -0700 (PDT) Received: from bblfish.home (AAubervilliers-651-1-165-173.w81-249.abo.wanadoo.fr. [81.249.236.173]) by mx.google.com with ESMTPS id w7sm18921355wiz.0.2012.09.25.01.14.00 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 25 Sep 2012 01:14:01 -0700 (PDT) From: Henry Story Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <6E1939C1-E3EB-4A00-B553-7A0EF640C01A@bblfish.net> Date: Tue, 25 Sep 2012 10:13:58 +0200 To: IETF DANE WG list Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) X-Mailer: Apple Mail (2.1498) X-Gm-Message-State: ALoCoQmK4nzSdgJUVHScI63Q5yaqO6F44nK9rqmhIbt6ZTc3VgooEeVts963/xM7cdNfTwEYXOXg Subject: [dane] deployment of DANE X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 08:14:06 -0000 Any feedback on advances on deployment of DANE in browsers? Are there any browsers that support this already, are working on it? Henry Social Web Architect http://bblfish.net/ From henry.story@bblfish.net Tue Sep 25 05:26:59 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0558D21F849B for ; Tue, 25 Sep 2012 05:26:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rnw7XtezDM0h for ; Tue, 25 Sep 2012 05:26:58 -0700 (PDT) Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id E551D21F886F for ; Tue, 25 Sep 2012 05:26:57 -0700 (PDT) Received: by weyu46 with SMTP id u46so1529437wey.31 for ; Tue, 25 Sep 2012 05:26:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=iB5QLpOcRJfjXzW1CUOs879hFtLViohO4zlPCr6XlUI=; b=hnBALVZt7lgMDYa8ITusjbftQB6Dvi9XXeJ9iRzwvKLTvF4KQyX9LbNMLXtC/ubJ50 JQzHMHR2CWcwHgJ7DN3+t90DKfCOfvV5TyE3HjbxnsiTjta00gIeP9w1UUAxOt6aAcOU v9hddbwtuGbUD+atyWIbddQonOr+NyArPoOlatJCA3PtR+tHzY78iIeZOM07KwcHgpC1 1cNt+5gOfZ2Q+YvQ5PKYYOI6t7P1S7w84KPRErs28YumEngVcpF8afNZsg/9jDJYTi57 A6DMflsrmROcqlZ9Ann6PAIqYpe0R8Yp596efDg0hygByZBEJUe7AzE97lBaWNuBkWvj RzrQ== Received: by 10.216.95.10 with SMTP id o10mr9476490wef.213.1348576015450; Tue, 25 Sep 2012 05:26:55 -0700 (PDT) Received: from bblfish.home (AAubervilliers-651-1-165-173.w81-249.abo.wanadoo.fr. [81.249.236.173]) by mx.google.com with ESMTPS id q4sm19865094wix.9.2012.09.25.05.26.48 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 25 Sep 2012 05:26:54 -0700 (PDT) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: Henry Story In-Reply-To: <50619B61.3060206@openlinksw.com> Date: Tue, 25 Sep 2012 14:26:47 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> To: Kingsley Idehen X-Mailer: Apple Mail (2.1498) X-Gm-Message-State: ALoCoQmQ0OVNQnWkj8NryoLqY0XtKS8wk67/HEgeycdWGu3pVSejJC5E0AAIZ4Dvuri3l1OhkE7V Cc: "public-webid@w3.org" , IETF DANE WG list Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 12:26:59 -0000 On 25 Sep 2012, at 13:54, Kingsley Idehen = wrote: > On 9/25/12 3:21 AM, Henry Story wrote: >> Ref: http://tools.ietf.org/html/draft-hoffman-dane-smime-04 >>=20 >> On 21 Sep 2012, at 19:27, Warren Kumari wrote: >>=20 >>> On Sep 10, 2012, at 5:25 PM, Warren Kumari = wrote: >>>=20 >>>> Dear WG, >>>>=20 >>>> This draft has already revived some comment (and has been revised = to incorporate / address those), so I'm assuming that there will be = sufficient interest to adopt, but for the form of the thing: >>>>=20 >>>> This starts a call for adoption of draft-hoffman-dane-smime. >>>> Please provide feedback as to if you would like this draft adopted = by Sept 17th, 2012. >>> We have discussed this, and see sufficient interest for adopting = this draft -- would the authors please re-submit as draft-dane-? >>=20 >> On the whole, my view is that associating a public key to a user is = better done by WebID http://webid.info/ ( see spec = http://webid.info/spec/ ). Putting that information in the DNS misses = out on a lot of other information you would like to have about a user, = is difficult to read, write, and on the whole is very cumbersome. The = reason for putting public keys of servers in the DNS is that servers = tend not to change that much, their tend to not be that many services = per domain, etc... >>=20 >> There are proposals of using the WebID public keys for MIME on the = WebID community group. >>=20 >> Henry >>=20 >>> W >>>=20 >>>> W >>>>=20 >>>> --=20 >>>> Never criticize a man till you've walked a mile in his shoes. Then = if he didn't like what you've said, he's a mile away and barefoot. >>>>=20 >>>>=20 >>>>=20 >>> _______________________________________________ >>> dane mailing list >>> dane@ietf.org >>> https://www.ietf.org/mailman/listinfo/dane >> Social Web Architect >> http://bblfish.net/ >>=20 >>=20 >>=20 >>=20 >=20 > Henry, >=20 > S/MIME and WebID work together very well. That's something we've long = implemented. Notice the certificate used to sign this mail :-) >=20 > To conclude, WebID is another option with finer granularity and more = distributed control (no DNS admin access privileges required, just own a = profile document) re., mail sender identity verification. It may be interesting to know from the DANE working group, what they = think would need to be done to make the application of WebID to S/MIME = something more widely known about. Currently the WebID spec ( = http://webid.info/spec ) illustrates how one can use a WebID in a client = certificate to authenticate with TLS on any server. Perhaps the WebID = working group should put some documents forward on how this can be used = for S/MIME? Or perhaps an RFC would be more useful for that? I don't think we have any formal document on that yet. Henry >=20 > --=20 >=20 > Regards, >=20 > Kingsley Idehen=09 > Founder & CEO > OpenLink Software > Company Web: http://www.openlinksw.com > Personal Weblog: http://www.openlinksw.com/blog/~kidehen > Twitter/Identi.ca handle: @kidehen > Google+ Profile: https://plus.google.com/112399767740508618350/about > LinkedIn Profile: http://www.linkedin.com/in/kidehen >=20 >=20 >=20 >=20 >=20 Social Web Architect http://bblfish.net/ From paul.hoffman@vpnc.org Tue Sep 25 07:09:20 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23B6621F882B for ; Tue, 25 Sep 2012 07:09:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.595 X-Spam-Level: X-Spam-Status: No, score=-102.595 tagged_above=-999 required=5 tests=[AWL=0.004, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ans22pHCwbx3 for ; Tue, 25 Sep 2012 07:09:19 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 77B6821F84EB for ; Tue, 25 Sep 2012 07:09:19 -0700 (PDT) Received: from [10.20.30.108] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q8PE9CP8062405 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 25 Sep 2012 07:09:12 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: Paul Hoffman In-Reply-To: <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> Date: Tue, 25 Sep 2012 07:09:13 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> To: Henry Story X-Mailer: Apple Mail (2.1498) Cc: IETF DANE WG list Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 14:09:20 -0000 WebID is not in the charter for this WG. If you want to discuss S/MIME = and WebID, you are free to do so elsewhere, of course. There is no need = for you to Cc this WG on that work. --Paul Hoffman= From henry.story@bblfish.net Tue Sep 25 07:11:48 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82D1C21F886B for ; Tue, 25 Sep 2012 07:11:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f9LgrWz2ut3u for ; Tue, 25 Sep 2012 07:11:48 -0700 (PDT) Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id A066021F884E for ; Tue, 25 Sep 2012 07:11:47 -0700 (PDT) Received: by wgbdr13 with SMTP id dr13so2992936wgb.13 for ; Tue, 25 Sep 2012 07:11:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=Gg/uS66rSKWUMFdmWaUituc1Qa4aQaXkwwh+3DYinv4=; b=HDagf1utww3X0OLl4EE1ZdDb76W3s3JMauBG7TRx22sBKvYN9ZLB0Nibhf5vdSP1hK XE6yDU65Q1z0dHhbkLpkVhDcldzTL92iGRQa2Mtu47ecuRk4KsfuHZTb/+QBwtQ9Aq8b XxPTI77U/uUB92LXUVdvuM4nAxDw+mLcboonkEEj65eWULYCju1c3iAev+INF/hA1jlw toNAUKVucZwlnLd391p3Xqi+7miqL2IVPgxbsI5FP947/3s+CzZm2TGXsZ0Te69tS+uh BseAqN1IuP6tk5JnYBHnIX9w8JoLhF9xK7bAa0rst8ICz6qhkgWxTR6Ft1/NYo+udDhj yqbw== Received: by 10.216.201.7 with SMTP id a7mr8962162weo.84.1348582306786; Tue, 25 Sep 2012 07:11:46 -0700 (PDT) Received: from bblfish.home (AAubervilliers-651-1-165-173.w81-249.abo.wanadoo.fr. [81.249.236.173]) by mx.google.com with ESMTPS id fb20sm813753wid.1.2012.09.25.07.11.41 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 25 Sep 2012 07:11:45 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: Henry Story In-Reply-To: <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> Date: Tue, 25 Sep 2012 16:11:40 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> To: Paul Hoffman X-Mailer: Apple Mail (2.1498) X-Gm-Message-State: ALoCoQlaYPGd+cnKdXLlApTObN39vbwNA/1uZx2KnNfrGr3jgMaivFn0Sc22WpuM9ZrRvakxzXt/ Cc: IETF DANE WG list Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 14:11:48 -0000 On 25 Sep 2012, at 16:09, Paul Hoffman wrote: > WebID is not in the charter for this WG. If you want to discuss S/MIME = and WebID, you are free to do so elsewhere, of course. There is no need = for you to Cc this WG on that work. Neither I suppose is TLS, or MIME btw, or many other standards that are = discussed on this list. But knowing that they exist has always been = important to IETF practice. It's called: not re-inventing the wheel. But = I see you have a problem with that. Sorry to have hurt your feelings. Henry >=20 > --Paul Hoffman Social Web Architect http://bblfish.net/ From paul.hoffman@vpnc.org Tue Sep 25 07:19:12 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE7FB21F87E8 for ; Tue, 25 Sep 2012 07:19:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.595 X-Spam-Level: X-Spam-Status: No, score=-102.595 tagged_above=-999 required=5 tests=[AWL=0.004, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id COq6PZk-Ym9J for ; Tue, 25 Sep 2012 07:19:11 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 2C80621F8557 for ; Tue, 25 Sep 2012 07:19:11 -0700 (PDT) Received: from [10.20.30.108] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q8PEJ8Ta062815 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 25 Sep 2012 07:19:09 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: Paul Hoffman In-Reply-To: Date: Tue, 25 Sep 2012 07:19:08 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <1CF5F888-3698-4044-BCEF-22FE7FD24AB6@vpnc.org> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> To: Henry Story X-Mailer: Apple Mail (2.1498) Cc: IETF DANE WG list Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 14:19:12 -0000 On Sep 25, 2012, at 7:11 AM, Henry Story = wrote: > On 25 Sep 2012, at 16:09, Paul Hoffman wrote: >=20 >> WebID is not in the charter for this WG. If you want to discuss = S/MIME and WebID, you are free to do so elsewhere, of course. There is = no need for you to Cc this WG on that work. >=20 > Neither I suppose is TLS, or MIME btw, or many other standards that = are discussed on this list. TLS and MIME are IETF standards. WebID is not yet a standard from any = organization, I believe. Notice the difference? > But knowing that they exist has always been important to IETF = practice. There are a zillion pre-standards efforts on the Internet; we don't need = to discuss them all in a WG that is about DANE. > It's called: not re-inventing the wheel. WebID is completely orthogonal to DANE, or will be when it becomes = standardized. Yes, you can pour anything into the WebID container. That = doesn't mean that no other work needs to be done in the IETF. > But I see you have a problem with that. No, you see I have a problem with you trying to legitimize WebID in = every possible venue in the IETF even though you have failed to get = support elsewhere. Note the difference? > Sorry to have hurt your feelings. You are mistaking "hurt feelings" for "please don't waste our time here; = feel free to work on it on your own". Note the difference? --Paul Hoffman= From henry.story@bblfish.net Tue Sep 25 07:45:16 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC0F021F88AB for ; Tue, 25 Sep 2012 07:45:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A4r+juwGBRkh for ; Tue, 25 Sep 2012 07:45:16 -0700 (PDT) Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by ietfa.amsl.com (Postfix) with ESMTP id D37A421F88C8 for ; Tue, 25 Sep 2012 07:45:06 -0700 (PDT) Received: by wibhr7 with SMTP id hr7so575790wib.13 for ; Tue, 25 Sep 2012 07:45:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=EJXIuNgm0rJ2+LuY+tTp5Asym6yplcHucc59cvMmNhA=; b=Ds9hgRVQEPDbZU5btHAJk6YnHSZ7T65oAYkEbfojfLgpRH6MGXW5Uc9KZMsfLGaoh+ AS8cE6WqU2hgEFOI4Vb6Kr5nkQJZUGj5O6/ATVi43yiKar7PHI/cSETvRcRiRPjpH6bN +77TJsWHDWsueu2Imt7qkyWiiDQsXyG0lgvQqLPybBCNr/3cN2KkHvPsf921o0jDK1+e m9hvrsDKrTcUt4MSHLGjpchqRrW3wbrStpZ8Z7MejON5ufunYPeJaxqK3UvlKZyhPJPL KiqAxt8/U3oBDi1HV4omidGiiTP/fM9cBBjQPAR6xLf2XFiS7Oz+XOdEt7h9CeAHyDHm 4xPw== Received: by 10.180.104.197 with SMTP id gg5mr22415632wib.9.1348584306050; Tue, 25 Sep 2012 07:45:06 -0700 (PDT) Received: from bblfish.home (AAubervilliers-651-1-165-173.w81-249.abo.wanadoo.fr. [81.249.236.173]) by mx.google.com with ESMTPS id cw4sm948663wib.4.2012.09.25.07.45.01 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 25 Sep 2012 07:45:05 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: Henry Story In-Reply-To: <1CF5F888-3698-4044-BCEF-22FE7FD24AB6@vpnc.org> Date: Tue, 25 Sep 2012 16:44:59 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <8AF53C29-5B88-44E0-A3D0-62F7A4330E5D@bblfish.net> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <1CF5F888-3698-4044-BCEF-22FE7FD24AB6@vpnc.org> To: Paul Hoffman X-Mailer: Apple Mail (2.1498) X-Gm-Message-State: ALoCoQnO+7rmmrfRel52sRimO0Vb2036fwUTASkqfx/TmbIrWl8Ct15k3nLoL0G7gpOo5WQE4r6r Cc: IETF DANE WG list Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 14:45:17 -0000 On 25 Sep 2012, at 16:19, Paul Hoffman wrote: > On Sep 25, 2012, at 7:11 AM, Henry Story = wrote: >=20 >> On 25 Sep 2012, at 16:09, Paul Hoffman wrote: >>=20 >>> WebID is not in the charter for this WG. If you want to discuss = S/MIME and WebID, you are free to do so elsewhere, of course. There is = no need for you to Cc this WG on that work. >>=20 >> Neither I suppose is TLS, or MIME btw, or many other standards that = are discussed on this list. >=20 > TLS and MIME are IETF standards. WebID is not yet a standard from any = organization, I believe. Notice the difference? Ah I see, if it were a standard you'd be able to discuss it? But if it = is not, then you can't conceive of it...=20 Now notice that your new proposal - draft-hoffman-dane-smime - is also = just a proposal.=20 And it may have disadvantage over another proposal that we could make = just as easily. That proposal - based on WebID - would also be using = DANE to gain strength. So I don't see the difference. If we can make = proposals on this list for non DANE for server auth proposals then = clearly the proposal that WebID constitutes or could constitute with a = bit of imagination, would be something to take into consideration. so difference =3D 0 >=20 >> But knowing that they exist has always been important to IETF = practice. >=20 > There are a zillion pre-standards efforts on the Internet; we don't = need to discuss them all in a WG that is about DANE. But this working group was about DANE, the project that has finished. = You now want to essentially continue with the momentum to propose a = standard which is only tangentially related to why people formed the = DANE group. But I see you'd rather deflect the discussion from that area, than = address the points. Anyway, let's stop this sill fighting and look at the issues. >> It's called: not re-inventing the wheel. >=20 > WebID is completely orthogonal to DANE, or will be when it becomes = standardized. Yes, you can pour anything into the WebID container. That = doesn't mean that no other work needs to be done in the IETF. I think the interesting thing to work out is in what way this is = orthogonal. What I don't understand yet looking at draft-hoffman-dane-smime, is = what key is going to be placed in DNS. Is it the signing key? The key = that will sign the certificates? If so that could indeed be worthwhile = putting in DNS. ( Though one could just as easily put that in http space = ). If it is to put the client certificates themselves in DNS, then that = seems much less of a good idea. >=20 >> But I see you have a problem with that. >=20 > No, you see I have a problem with you trying to legitimize WebID in = every possible venue in the IETF even though you have failed to get = support elsewhere. Note the difference? You are putting a draft forward! Not a final spec. >=20 >> Sorry to have hurt your feelings. >=20 > You are mistaking "hurt feelings" for "please don't waste our time = here; feel free to work on it on your own". Note the difference? Yes, I notice that your are mixing your role of chair with role of = proposer of a spec. >=20 > --Paul Hoffman Social Web Architect http://bblfish.net/ From kent@bbn.com Tue Sep 25 07:45:57 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9905E1F0C7E for ; Tue, 25 Sep 2012 07:45:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DnJmJrS3A50e for ; Tue, 25 Sep 2012 07:45:57 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 199861F0C69 for ; Tue, 25 Sep 2012 07:45:57 -0700 (PDT) Received: from dommiel.bbn.com ([192.1.122.15]:56071 helo=dhcp-25-201.ripemtg.ripe.net) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TGWOV-000Az8-BW for dane@ietf.org; Tue, 25 Sep 2012 10:45:51 -0400 Message-ID: <5061C39E.1070901@bbn.com> Date: Tue, 25 Sep 2012 10:45:50 -0400 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: dane@ietf.org References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 14:45:57 -0000 Henry, >> WebID is not in the charter for this WG. If you want to discuss S/MIME and WebID, you are free to do so elsewhere, of course. There is no need for you to Cc this WG on that work. > Neither I suppose is TLS, or MIME btw, or many other standards that are discussed on this list. But knowing that they exist has always been important to IETF practice. It's called: not re-inventing the wheel. But I see you have a problem with that. Sorry to have hurt your feelings. If you were to read the DANE charter (https://datatracker.ietf.org/wg/dane/charter/) you would see that TLS is cited 5 times, so your supposition above is wrong with regard to its first assertion. Steve From benl@google.com Tue Sep 25 08:00:40 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49E0B21F8939 for ; Tue, 25 Sep 2012 08:00:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.977 X-Spam-Level: X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fYHXfk1ik-XR for ; Tue, 25 Sep 2012 08:00:39 -0700 (PDT) Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44]) by ietfa.amsl.com (Postfix) with ESMTP id 5660521F88F8 for ; Tue, 25 Sep 2012 08:00:39 -0700 (PDT) Received: by oagn5 with SMTP id n5so7007353oag.31 for ; Tue, 25 Sep 2012 08:00:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=gu7KLype3oNR8Ei6nVzuKVQS0SdsRObBzq9HSIbXCf8=; b=NdvEH00VLKz4uucd9+PoY8JdOyCJRZP7jzc6H2ljpngb4O68rjua8MiqGOXT1UbJ0+ cEbAY0cibisCqiTUfvOBr75tVk6f/zG5LHB7TCE389FN5G/ipKXSTP+htHMmhotAKxPF Nq1HrqteZJ0ba5c2Y90NFXV43CswLVXPRYqCoc2m/vyftqwOmTZ5yco26eNSobuaO/xU egA6iw0/RIkS0eNGwwHxqJdzH8LqYZrX47+Unw1LAYiPjrBzlXvotneY+vXjvrcp95/P Y6e2F7GMJYYVJgGARpmdIF7dsOi7MABNMOkOIi9E/qG8zLDjVNMveJwRXDGnXPDcspn7 eDtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record :x-gm-message-state; bh=gu7KLype3oNR8Ei6nVzuKVQS0SdsRObBzq9HSIbXCf8=; b=QfEUyGlONDyCW2o6jQNVG2fcNmDITZE+aYVTFaSFVZ31kXyctPwl16pmNM3LR5CY9Z ra7BIXoETvsTzigtp7iXGhqYw9H2pC48PMW5Pt9YoRxu7fOVvblnpu/7t7ymdZc5Eue8 9730JIwPL+9V3xUvhwOdnw4siEFiSxf84E5AHf6DLyrlL8pf/QMTTYQRerWJPjr2MXAP PbjG3rN+0prMWcTT6EL0JOFIWyi1k9f1nKP3nahfEvfLmuGfBfsIMeUP1XTu6FU61bZF v/imhMZT2kLQ93KdmZfNyLxTWmIi5KPKthE3+onXvc3NZqDNN6w+QOsyQj10J/kb1BLo ChAA== Received: by 10.60.22.196 with SMTP id g4mr12944589oef.95.1348585238939; Tue, 25 Sep 2012 08:00:38 -0700 (PDT) MIME-Version: 1.0 Received: by 10.60.22.196 with SMTP id g4mr12944580oef.95.1348585238843; Tue, 25 Sep 2012 08:00:38 -0700 (PDT) Received: by 10.60.39.136 with HTTP; Tue, 25 Sep 2012 08:00:38 -0700 (PDT) In-Reply-To: <8AF53C29-5B88-44E0-A3D0-62F7A4330E5D@bblfish.net> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <1CF5F888-3698-4044-BCEF-22FE7FD24AB6@vpnc.org> <8AF53C29-5B88-44E0-A3D0-62F7A4330E5D@bblfish.net> Date: Tue, 25 Sep 2012 16:00:38 +0100 Message-ID: From: Ben Laurie To: Henry Story Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-System-Of-Record: true X-Gm-Message-State: ALoCoQnHEJFxqBszszEmmenAj5w4vcXUNB/gxDxneobbfunsG0rB83ZBshragCECKR1mdjFRlTp8LvivKPdplPR+DBlvLYyWfzX9+Ml2PBCXS7W7VTU62a/3ZOLP0kd5NLKZigGp3OwNAprGPq3BfSgydOIvUQgypBrqHuCKm/DkuCUQPdAbtUb5i5pdCSBUMyM03NpuuV9U Cc: Paul Hoffman , IETF DANE WG list Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 15:00:40 -0000 On 25 September 2012 15:44, Henry Story wrote: > What I don't understand yet looking at draft-hoffman-dane-smime, is what= key is going to be placed in DNS. Is it the signing key? The key that will= sign the certificates? If so that could indeed be worthwhile putting in DN= S. ( Though one could just as easily put that in http space ). If it is to = put the client certificates themselves in DNS, then that seems much less of= a good idea. Its pretty clear it could be either of those, though I have to say the I-D doesn't really work properly in this respect. It inherits the Certificate Usage field from 6698 - but 6698 references TLS and TLS servers and things like that. I fear the I-D really needs to redefine the usages in an S/MIME context. From benl@google.com Tue Sep 25 08:01:23 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1A8321F894E for ; Tue, 25 Sep 2012 08:01:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.977 X-Spam-Level: X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ISTRtSzQLGpA for ; Tue, 25 Sep 2012 08:01:23 -0700 (PDT) Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id DED7121F8841 for ; Tue, 25 Sep 2012 08:01:21 -0700 (PDT) Received: by obqv19 with SMTP id v19so324222obq.31 for ; Tue, 25 Sep 2012 08:01:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=Gznz6XV6YR43yEK4QYVY1msHGX2tsFVyxCaRqALmr98=; b=F4+jJt0nR105Gn027kwOlYQXKYp8inqp+ix9wjJuWg1stRqGfu+T708S/s3w9nR7+z +prgfxBkZx+/bAfokgbyKlinF1DjiMQUEMNkJDwa6AJLpDtbJ/f8RLWVhXhFiGY9sEjs 5998CCZooTNN7Nibroa3Jx6LBpFZuVV2Ek6g8n3D7Oq+PflWM8wMoTnESAJbqc7hqldH ZsAwcHZvBkZJJ1FOiU7G1DmJ5iPdIyGWCchprln/n6IQ/Z6H1Tte0EcwK5qr5IORDsHU yBjDjoj6i+1g6B4ZOW0na5B7d7mbXVv8RKerVSYOvuGvUDxdrHJRybNNLK57C0UN/p5A 6IyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record :x-gm-message-state; bh=Gznz6XV6YR43yEK4QYVY1msHGX2tsFVyxCaRqALmr98=; b=RlNYXfrFj85i2b7SHS1yJGNk8AaPrdRev+h+7MlTcClJ5iwpmAkqRXb6/E1cSkzf2B Ycf0bgfpZhofB23hD5re3IlnOXEr3lfVSu+Vdc03gF4Sxrtl0+5L1ei2UTycFX4p7cF5 305BL3ta++d3akXEdzUMo1RHesE0XhNEe/stPv6n2oTuymO2tN4tvb710sWvEAn5h5hJ mEEe8Mr/PhIkyamJUGSFsity6eUC82SOseupG0Q5oGmtmgALHEvvLeH/rW0/57iUaGDk 3p5gS7KQ05d0TDRVF3TNgGFln0QU3hwq+3p8iehFm+MOqyodwsY5AT9PJearPoURhN2b 6B5A== Received: by 10.60.7.169 with SMTP id k9mr12429958oea.77.1348585281581; Tue, 25 Sep 2012 08:01:21 -0700 (PDT) MIME-Version: 1.0 Received: by 10.60.7.169 with SMTP id k9mr12429951oea.77.1348585281493; Tue, 25 Sep 2012 08:01:21 -0700 (PDT) Received: by 10.60.39.136 with HTTP; Tue, 25 Sep 2012 08:01:21 -0700 (PDT) In-Reply-To: References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <1CF5F888-3698-4044-BCEF-22FE7FD24AB6@vpnc.org> <8AF53C29-5B88-44E0-A3D0-62F7A4330E5D@bblfish.net> Date: Tue, 25 Sep 2012 16:01:21 +0100 Message-ID: From: Ben Laurie To: Henry Story Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-System-Of-Record: true X-Gm-Message-State: ALoCoQnR2ziwKxwNJOPnFIKxAsX7coe2ZMCc37ZKln3eK9RX5559mIRDIVPOxEfIwMluZsjQ+PMAgeMnVtsCO/f53G/5wFHvHoBqvDkXOkwzC/K4Nojs8fM6xWoIY6kh3jSN9v9JSXfuzqJC0kmENnMLP/iGRQORQisJF2nAAw/HAZYBJ9LKKA5koWZZAfy2C6DYwBkpOdrM Cc: Paul Hoffman , IETF DANE WG list Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 15:01:23 -0000 Oh, also, 6.1 is incorrectly titled :-) On 25 September 2012 16:00, Ben Laurie wrote: > On 25 September 2012 15:44, Henry Story wrote: >> What I don't understand yet looking at draft-hoffman-dane-smime, is wha= t key is going to be placed in DNS. Is it the signing key? The key that wil= l sign the certificates? If so that could indeed be worthwhile putting in D= NS. ( Though one could just as easily put that in http space ). If it is to= put the client certificates themselves in DNS, then that seems much less o= f a good idea. > > Its pretty clear it could be either of those, though I have to say the > I-D doesn't really work properly in this respect. > > It inherits the Certificate Usage field from 6698 - but 6698 > references TLS and TLS servers and things like that. I fear the I-D > really needs to redefine the usages in an S/MIME context. From henry.story@bblfish.net Tue Sep 25 08:07:52 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE76A1F0C61 for ; Tue, 25 Sep 2012 08:07:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o5ggAc2irDi6 for ; Tue, 25 Sep 2012 08:07:52 -0700 (PDT) Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by ietfa.amsl.com (Postfix) with ESMTP id BB9231F042A for ; Tue, 25 Sep 2012 08:07:51 -0700 (PDT) Received: by wibhr7 with SMTP id hr7so605718wib.13 for ; Tue, 25 Sep 2012 08:07:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=a1BzyucI4lcofpfAIIsUtA8w46DhjLY8R28vBzpvwds=; b=gRjXDt07lkXpoXnyCw8d+z8xDyIFdzo3opVIs/E3lRKFmvUUiiakseUz3wSGeHt+5H 4qp5CVvehr7wYHya5NeDGR9W4NgrlOrIH5vqX3Ub56VQXBO9BcT9jGoZwtCDZrWme427 4yqIP1xs7GOVkIfS6aYVoEHnZ0owl0Pbn4CFNTfJl8BfqkNbvb4uxZUF+6+5l1RYRBFV 6BUhorwBqryr/JRE6oHFfDHwS6CZDuDOFE8tkNwu/HbEoJM4QbitIIxrmOoDV8KfRSMe h4J5ts96i/XL6qQK/nqVUopgbdG78dSrRi0EeOuOE/NvRDXC8MXx4J4fNVhxsvZgXC8K szag== Received: by 10.216.214.92 with SMTP id b70mr10189706wep.86.1348585670724; Tue, 25 Sep 2012 08:07:50 -0700 (PDT) Received: from bblfish.home (AAubervilliers-651-1-165-173.w81-249.abo.wanadoo.fr. [81.249.236.173]) by mx.google.com with ESMTPS id bc2sm1069475wib.0.2012.09.25.08.07.48 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 25 Sep 2012 08:07:49 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: Henry Story In-Reply-To: <5061C39E.1070901@bbn.com> Date: Tue, 25 Sep 2012 17:07:47 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <5061C39E.1070901@bbn.com> To: Stephen Kent X-Mailer: Apple Mail (2.1498) X-Gm-Message-State: ALoCoQmfaDgv0UaXmXkOo8y3wSxHr62z2qq/itWQ7LfMZLx5PX+dgWjrexgWGuy9M7F8F+tchVW+ Cc: dane@ietf.org Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 15:07:53 -0000 On 25 Sep 2012, at 16:45, Stephen Kent wrote: > Henry, >=20 >>> WebID is not in the charter for this WG. If you want to discuss = S/MIME and WebID, you are free to do so elsewhere, of course. There is = no need for you to Cc this WG on that work. >> Neither I suppose is TLS, or MIME btw, or many other standards that = are discussed on this list. But knowing that they exist has always been = important to IETF practice. It's called: not re-inventing the wheel. But = I see you have a problem with that. Sorry to have hurt your feelings. > If you were to read the DANE charter = (https://datatracker.ietf.org/wg/dane/charter/) > you would see that TLS is cited 5 times, so your supposition above is = wrong with regard to > its first assertion. Thanks. But not MIME - So the point holds well enough :-) Anyway, the webid spec http://www.w3.org/2005/Incubator/webid/spec/ also is very clearly tied to TLS, and would benefit a lot from DANE = being deployed. So my interest in DANE is not a side issue. The = strongest pushback against WebID ( and so using client certificates ) is = the cost of server certificates for most players. ( the next strongest = is the inability to logout from all but Firefox browsers ) In fact my interest in DANE can be traced back to a discussion I had = with Dan Kaminsky at Hackers at Random (HAR) 3 years ago, where I = quickly gave him an overview of WebID ( At the time foaf+ssl) ). This = was before the creation of the DANE group. The protocols are very = similar logically.=20 That is why it would be worth discussing things and seeing how these = protocols can work together. And perhaps there is even some interesting = way for the MIME proposal to work out nicely. Henry >=20 > Steve > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane Social Web Architect http://bblfish.net/ From paul.hoffman@vpnc.org Tue Sep 25 08:09:29 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08CF121F845A for ; Tue, 25 Sep 2012 08:09:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.596 X-Spam-Level: X-Spam-Status: No, score=-102.596 tagged_above=-999 required=5 tests=[AWL=0.003, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aPU0Te1O38R3 for ; Tue, 25 Sep 2012 08:09:28 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 6BE7021F8455 for ; Tue, 25 Sep 2012 08:09:28 -0700 (PDT) Received: from [10.20.30.108] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q8PF9Pes065069 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 25 Sep 2012 08:09:26 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: Paul Hoffman In-Reply-To: Date: Tue, 25 Sep 2012 08:09:25 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <1CF5F888-3698-4044-BCEF-22FE7FD24AB6@vpnc.org> <8AF53C29-5B88-44E0-A3D0-62F7A4330E5D@bblfish.net> To: Ben Laurie X-Mailer: Apple Mail (2.1498) Cc: IETF DANE WG list Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 15:09:29 -0000 On Sep 25, 2012, at 8:00 AM, Ben Laurie wrote: > On 25 September 2012 15:44, Henry Story = wrote: >> What I don't understand yet looking at draft-hoffman-dane-smime, is = what key is going to be placed in DNS. Is it the signing key? The key = that will sign the certificates? If so that could indeed be worthwhile = putting in DNS. ( Though one could just as easily put that in http space = ). If it is to put the client certificates themselves in DNS, then that = seems much less of a good idea. >=20 > Its pretty clear it could be either of those, though I have to say the > I-D doesn't really work properly in this respect. Can you say more? I'm not seeing why the signing or encrypting key would = be different, but I could be missing something obvious. > It inherits the Certificate Usage field from 6698 - but 6698 > references TLS and TLS servers and things like that. I fear the I-D > really needs to redefine the usages in an S/MIME context. Why? Nothing in RFC 6698 says that the certificate or bare-ish key are = only for signing. In fact, signing/encrypting isn't mentioned at all. --Paul Hoffman= From paul.hoffman@vpnc.org Tue Sep 25 08:12:51 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE99B21F87CC for ; Tue, 25 Sep 2012 08:12:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.596 X-Spam-Level: X-Spam-Status: No, score=-102.596 tagged_above=-999 required=5 tests=[AWL=0.003, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c07AwS0QN50V for ; Tue, 25 Sep 2012 08:12:51 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 6EB6B21F8682 for ; Tue, 25 Sep 2012 08:12:51 -0700 (PDT) Received: from [10.20.30.108] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q8PFCnDT065334 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 25 Sep 2012 08:12:49 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: Paul Hoffman In-Reply-To: Date: Tue, 25 Sep 2012 08:12:49 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <1CF5F888-3698-4044-BCEF-22FE7FD24AB6@vpnc.org> <8AF53C29-5B88-44E0-A3D0-62F7A4330E5D@bblfish.net> To: Ben Laurie X-Mailer: Apple Mail (2.1498) Cc: IETF DANE WG list Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 15:12:52 -0000 On Sep 25, 2012, at 8:01 AM, Ben Laurie wrote: > Oh, also, 6.1 is incorrectly titled :-) As announced the other day, there is now a WG document, = draft-ietf-dane-smime. In that document, Section 5.1 is indeed = incorrectly titled. But if you were reading the other threads on this = list, you would see that maybe that section was just presciently titled. = :-) --Paul Hoffman= From warren@kumari.net Tue Sep 25 08:20:27 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6B7F1F0C9D for ; Tue, 25 Sep 2012 08:20:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lmGWNFewLq7M for ; Tue, 25 Sep 2012 08:20:27 -0700 (PDT) Received: from vimes.kumari.net (smtp1.kumari.net [204.194.22.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4EC21F0C9C for ; Tue, 25 Sep 2012 08:20:26 -0700 (PDT) Received: from dhcp-25-116.ripemtg.ripe.net (dhcp-25-116.ripemtg.ripe.net [193.0.25.116]) by vimes.kumari.net (Postfix) with ESMTPSA id 606C41B4035B; Tue, 25 Sep 2012 11:20:25 -0400 (EDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1486\)) From: Warren Kumari In-Reply-To: <8AF53C29-5B88-44E0-A3D0-62F7A4330E5D@bblfish.net> Date: Tue, 25 Sep 2012 17:20:21 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <714C8F11-08CF-4D5A-9D51-D3D34756448F@kumari.net> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <1CF5F888-3698-4044-BCEF-22FE7FD24AB6@vpnc.org> <8AF53C29-5B88-44E0-A3D0-62F7A4330E5D@bblfish.net> To: Henry Story X-Mailer: Apple Mail (2.1486) Cc: Paul Hoffman , IETF DANE WG list Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 15:20:28 -0000 Ok, this conversation is becoming unnecessarily combative. Emotions are = running high, and I would appreciate participants watching their tone. =20 DANE is not finished, we have agreed to work on "How to do DANE with = $foo" documents (the chairs have been remiss in not providing an updated = charter for consideration that reflects this=85) Before discussing WebID *at all* I would want to discuss this all with = our W3C liaison to avoid any cross SDO friction... On Sep 25, 2012, at 4:44 PM, Henry Story = wrote: >=20 > On 25 Sep 2012, at 16:19, Paul Hoffman wrote: >=20 >> On Sep 25, 2012, at 7:11 AM, Henry Story = wrote: >>=20 >>> On 25 Sep 2012, at 16:09, Paul Hoffman = wrote: >>>=20 >>>> WebID is not in the charter for this WG. If you want to discuss = S/MIME and WebID, you are free to do so elsewhere, of course. There is = no need for you to Cc this WG on that work. >>>=20 >>> Neither I suppose is TLS, or MIME btw, or many other standards that = are discussed on this list. >>=20 >> TLS and MIME are IETF standards. WebID is not yet a standard from any = organization, I believe. Notice the difference? >=20 > Ah I see, if it were a standard you'd be able to discuss it? But if it = is not, then you can't conceive of it...=20 >=20 > Now notice that your new proposal - draft-hoffman-dane-smime - is also = just a proposal.=20 >=20 > And it may have disadvantage over another proposal that we could = make just as easily. That proposal - based on WebID - would also be = using DANE to gain strength. So I don't see the difference. If we can = make proposals on this list for non DANE for server auth proposals then = clearly the proposal that WebID constitutes or could constitute with a = bit of imagination, would be something to take into consideration. >=20 > so difference =3D 0 >=20 >>=20 >>> But knowing that they exist has always been important to IETF = practice. >>=20 >> There are a zillion pre-standards efforts on the Internet; we don't = need to discuss them all in a WG that is about DANE. >=20 > But this working group was about DANE, the project that has finished. = You now want to essentially continue with the momentum to propose a = standard which is only tangentially related to why people formed the = DANE group. >=20 > But I see you'd rather deflect the discussion from that area, than = address the points. > Anyway, let's stop this sill fighting and look at the issues. >=20 >=20 >>> It's called: not re-inventing the wheel. >>=20 >> WebID is completely orthogonal to DANE, or will be when it becomes = standardized. Yes, you can pour anything into the WebID container. That = doesn't mean that no other work needs to be done in the IETF. >=20 > I think the interesting thing to work out is in what way this is = orthogonal. >=20 > What I don't understand yet looking at draft-hoffman-dane-smime, is = what key is going to be placed in DNS. Is it the signing key? The key = that will sign the certificates? If so that could indeed be worthwhile = putting in DNS. ( Though one could just as easily put that in http space = ). If it is to put the client certificates themselves in DNS, then that = seems much less of a good idea. >=20 >>=20 >>> But I see you have a problem with that. >>=20 >> No, you see I have a problem with you trying to legitimize WebID in = every possible venue in the IETF even though you have failed to get = support elsewhere. Note the difference? >=20 > You are putting a draft forward! Not a final spec. >=20 >>=20 >>> Sorry to have hurt your feelings. >>=20 >> You are mistaking "hurt feelings" for "please don't waste our time = here; feel free to work on it on your own". Note the difference? >=20 > Yes, I notice that your are mixing your role of chair with role of = proposer of a spec. >=20 >>=20 >> --Paul Hoffman >=20 > Social Web Architect > http://bblfish.net/ >=20 > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane >=20 From kent@bbn.com Tue Sep 25 08:22:19 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AE261F0C9A for ; Tue, 25 Sep 2012 08:22:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b8FYAf84gsX1 for ; Tue, 25 Sep 2012 08:22:19 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 0FB911F0C94 for ; Tue, 25 Sep 2012 08:22:19 -0700 (PDT) Received: from dommiel.bbn.com ([192.1.122.15]:52226 helo=dhcp-25-201.ripemtg.ripe.net) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TGWxf-000Ah2-7I for dane@ietf.org; Tue, 25 Sep 2012 11:22:12 -0400 Message-ID: <5061CC22.1040102@bbn.com> Date: Tue, 25 Sep 2012 11:22:10 -0400 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: dane@ietf.org References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <1CF5F888-3698-4044-BCEF-22FE7FD24AB6@vpnc.org> <8AF53C29-5B88-44E0-A3D0-62F7A4330E5D@bblfish.net> In-Reply-To: <8AF53C29-5B88-44E0-A3D0-62F7A4330E5D@bblfish.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 15:22:19 -0000 Henry, >> But knowing that they exist has always been important to IETF practice. >> There are a zillion pre-standards efforts on the Internet; we don't need to discuss them all in a WG that is about DANE. > But this working group was about DANE, the project that has finished. You now want to essentially continue with the momentum to propose a standard which is only tangentially related to why people formed the DANE group. DANE is seen as a basis for using public key info published via the DNS to bind public keys to DNS names, as discussed at the BoF that preceded the formation of this WG. The WG was chartered to deal with TLS first, to provide focus. The intent is to allow the WG to use the same basic mechanism to provide public keys to other security protocols. So, your statement above, is not correct, both in terms of stating that the project is finished, and in terms of why the WG was formed. I don't recall seeing you at that BoF; were you present? Steve From henry.story@bblfish.net Tue Sep 25 08:34:31 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BB5A21F87F9 for ; Tue, 25 Sep 2012 08:34:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hYbyZEE0T0vp for ; Tue, 25 Sep 2012 08:34:30 -0700 (PDT) Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id 8AEB821F87E6 for ; Tue, 25 Sep 2012 08:34:30 -0700 (PDT) Received: by weyu46 with SMTP id u46so1663473wey.31 for ; Tue, 25 Sep 2012 08:34:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=Y53DK+GoCxibxudi5Qs8Et4815frMmCnPyIvGX8CxbE=; b=pK4Hyh+AzaiHgQ2g/PcJIfB0xQzhvp0UEWmvPuI9mt9qBC9pJ0GrPmFUI3341Dqms2 xXfxLoPazBjiTzxypq7FP9X/yEVpJAKWgip6/RzdD3JfrUSP+FG+4EL2O1llPsJN03m8 KLWGo3vpuO5rmZca7IGhCPvu5vDHnoWxB98HcpB3oMVkiXJ3SfewOmjnWqH2gsD6JV4W V+Z40ZOhYHqVl2qZvYx+GBzn2SASufk0iKBaPwkYB7FUg5ge3TR3r7REw1TSN6JUe0fU vSOmDMVIMw90kwoa1t2fB0DAPPCTbFODwuQ7T68Q1CYwc3pQHFcZIF2drvKPhtBdzp4t 38XQ== Received: by 10.180.73.76 with SMTP id j12mr22709961wiv.11.1348587269545; Tue, 25 Sep 2012 08:34:29 -0700 (PDT) Received: from bblfish.home (AAubervilliers-651-1-165-173.w81-249.abo.wanadoo.fr. [81.249.236.173]) by mx.google.com with ESMTPS id hv8sm27236240wib.0.2012.09.25.08.34.13 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 25 Sep 2012 08:34:28 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: Henry Story In-Reply-To: <5061CC22.1040102@bbn.com> Date: Tue, 25 Sep 2012 17:34:12 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <57B5C773-8B3A-4F0B-BC69-9A57E2043231@bblfish.net> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <1CF5F888-3698-4044-BCEF-22FE7FD24AB6@vpnc.org> <8AF53C29-5B88-44E0-A3D0-62F7A4330E5D@bblfish.net> <5061CC22.1040102@bbn.com> To: Stephen Kent X-Mailer: Apple Mail (2.1498) X-Gm-Message-State: ALoCoQmooH+QjkqmlegCLndwMbsupScQizrCkHjP0g9wIjGVVD6sC6cRo2X+VNvrZmSJkxy4/X4U Cc: dane@ietf.org Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 15:34:31 -0000 On 25 Sep 2012, at 17:22, Stephen Kent wrote: > Henry, >=20 >>> But knowing that they exist has always been important to IETF = practice. >>> There are a zillion pre-standards efforts on the Internet; we don't = need to discuss them all in a WG that is about DANE. >> But this working group was about DANE, the project that has finished. = You now want to essentially continue with the momentum to propose a = standard which is only tangentially related to why people formed the = DANE group. > DANE is seen as a basis for using public key info published via the = DNS to bind public keys > to DNS names, as discussed at the BoF that preceded the formation of = this WG. The WG was chartered to deal with TLS first, to provide focus. = The intent is to allow the WG to use the same basic mechanism to provide > public keys to other security protocols. So, your statement above, is = not correct, both in terms of stating that the project is finished, and = in terms of why the WG was formed. I don't have problems with this. I was just reacting to claim that one = could not bring up any outside work relating to the idea of binding = public keys to users using DNS.=20 > I don't recall seeing you at that BoF; were you present? I was present in Paris, not in the recent IETF meeting.=20 In any case this is more a question of understanding how things can work = together. Sorry if I come in a bit late into the discussion. But there = is no need to get so defensive about the draft-hoffman. Henry >=20 > Steve > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane Social Web Architect http://bblfish.net/ From benl@google.com Tue Sep 25 08:41:29 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B32CD21F87FC for ; Tue, 25 Sep 2012 08:41:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.977 X-Spam-Level: X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a-uzJS7Qdfp0 for ; Tue, 25 Sep 2012 08:41:29 -0700 (PDT) Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44]) by ietfa.amsl.com (Postfix) with ESMTP id 2CE7921F84FE for ; Tue, 25 Sep 2012 08:41:29 -0700 (PDT) Received: by oagn5 with SMTP id n5so7068045oag.31 for ; Tue, 25 Sep 2012 08:41:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=X6Xk2RnNekq9Z1R/ZZm470LaAQ+Qns3VHH1z1pmrgmw=; b=hemzr/+IzifOPFCduGbIMxHJRII+qCvPsUTHbJrupFFd1a9f+gsWMadS3ny9PJtUtk qjAouRbb8I1zrcVStzWbLs6yigDmtlB17nXKLdn6NzK+QFdPmzeaLr+eiXnAHXjhg2qL 4SB4KrVaN2dT+14gFmD9MrBWcbhd/IpfFhqjhW/0Els50MR6KdtvSoaip/99InHZZ30D EyV2qXEClXfBaOpf9fjiuNHrT8W94LwGd9MYG7DzMpjTQ7hqMtGeKoQSnuJYPkieCB7I 6QuMtoLZfugEt0pqTwN75+5+0+XvZZo83hDotMA8tyx+Hyvzw1IBxEiYUah391mRBkJd l/8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record :x-gm-message-state; bh=X6Xk2RnNekq9Z1R/ZZm470LaAQ+Qns3VHH1z1pmrgmw=; b=pf1AzvlVls4zBx68SZEsSSpE4sRb+Dxn+IUxs7o8EPRbHt015knASN85ZxJK0YlEWX mFcPXihpyPa70b3C10/m1nQumlWmEponCcDpTYcmqq3x7hRpLjuIHDYpXIvZ2702yQMu dZJNOj08TWZanmwNO34BxD0SaCpbbfFEaXt4w0Dj2yR5mf+P3If5HbwLUb0wgIbSAalb 8UtkCBdvOucp1vifKfHGHKXRfPPp2eMH2OjvTwI57e1n6mpLc/hTjzVtjwPsEgEjBMs8 rcqwrGktWmQzpeIaHcRbWWy08crb7ejQdIZ+/n6FWxiwFeTJz6Kd2baq9nbHHYJTAhL9 W+/Q== Received: by 10.60.29.72 with SMTP id i8mr12527901oeh.26.1348587688815; Tue, 25 Sep 2012 08:41:28 -0700 (PDT) MIME-Version: 1.0 Received: by 10.60.29.72 with SMTP id i8mr12527894oeh.26.1348587688661; Tue, 25 Sep 2012 08:41:28 -0700 (PDT) Received: by 10.60.39.136 with HTTP; Tue, 25 Sep 2012 08:41:28 -0700 (PDT) In-Reply-To: References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <1CF5F888-3698-4044-BCEF-22FE7FD24AB6@vpnc.org> <8AF53C29-5B88-44E0-A3D0-62F7A4330E5D@bblfish.net> Date: Tue, 25 Sep 2012 16:41:28 +0100 Message-ID: From: Ben Laurie To: Paul Hoffman Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-System-Of-Record: true X-Gm-Message-State: ALoCoQmusKyV4+STHYFuOHG06xcuNgEUuiBqyp7WjX6OLNHHSZVQ70KvQWa2UWwYZa5xiwtxJRY6v4fmcoq4UvVsGRUyXNu6uT+BEnlYx4Okm4EEzsgB284aCYdcmip+5PiQXSnjrd/Ebo0q9cFA37VaNt6DddcP4vP1YjlwnTwipdi5UrX6A72S6GuGXuk+ktfvkvhPVJam Cc: IETF DANE WG list Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 15:41:29 -0000 On 25 September 2012 16:09, Paul Hoffman wrote: > > On Sep 25, 2012, at 8:00 AM, Ben Laurie wrote: > >> On 25 September 2012 15:44, Henry Story wrote: >>> What I don't understand yet looking at draft-hoffman-dane-smime, is wh= at key is going to be placed in DNS. Is it the signing key? The key that wi= ll sign the certificates? If so that could indeed be worthwhile putting in = DNS. ( Though one could just as easily put that in http space ). If it is t= o put the client certificates themselves in DNS, then that seems much less = of a good idea. >> >> Its pretty clear it could be either of those, though I have to say the >> I-D doesn't really work properly in this respect. > > Can you say more? I'm not seeing why the signing or encrypting key would = be different, but I could be missing something obvious. > >> It inherits the Certificate Usage field from 6698 - but 6698 >> references TLS and TLS servers and things like that. I fear the I-D >> really needs to redefine the usages in an S/MIME context. > > Why? Nothing in RFC 6698 says that the certificate or bare-ish key are on= ly for signing. In fact, signing/encrypting isn't mentioned at all. Not even by me! But what is mentioned is, e.g. "Certificate usage 0 is used to specify a CA certificate, or the public key of such a certificate, that MUST be found in any of the PKIX certification paths for the end entity certificate given by the server in TLS. " From benl@google.com Tue Sep 25 08:45:49 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEFFF21F8799 for ; Tue, 25 Sep 2012 08:45:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.977 X-Spam-Level: X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zWJohUYTRJvU for ; Tue, 25 Sep 2012 08:45:49 -0700 (PDT) Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 1DC8821F86A2 for ; Tue, 25 Sep 2012 08:45:49 -0700 (PDT) Received: by obqv19 with SMTP id v19so388411obq.31 for ; Tue, 25 Sep 2012 08:45:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=GKM/5+P6DxDiM3JX30o1ZSu2bpbrnw6SYp8u+ULVUHI=; b=X7S8TkEmozqkZ+25dnoK6puccktj8SfInbnyjVMmctZKsfkayQM2CXrgdAlIVLTDRb Ljtu/hW/g7pdDsBTmlK2BByQAZvQrl6BvFlC3fwx/izGO5eBEFziczPtfnnDl6c2XArZ NauKs2DsI8W98JIZqxiuVqd9Cct1GZvbgCV0/h+P7VMjoCwJl1mR8t8q58BU9MKTahYv eOuVoZQaU2I9fNCxvkf97A1HBBAsWH8VQhHQpXZRJ0mdqddEZRDYR3K0fZ4oAibORlU8 vYEvgequbo0my1dCCF5/0gw0lkBe5dx+Eg8L4IUb2mBiwC4exrskJzYzTl55dykZwHDz wj6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record :x-gm-message-state; bh=GKM/5+P6DxDiM3JX30o1ZSu2bpbrnw6SYp8u+ULVUHI=; b=VYMsUDCcPMSEC0BNe5tErW/2JoWFEujAm0Ub4uX9y1tGbmVviVdK1D20aQNM8L1+2w 595yG1BlSxtSbnQrgaZ0NmXI31GDuh5B4sArfWap1ySJ55kOsF58MkPJSH2eJL8C23SW 1zMvlkc2mmqbWktsRQ4QsHC6OZWaaGmBzPeHXFcg8kqlqDgQD7epfD1KGas2ssjAHnLA qAujl1Bh6cT9K8diymqpRMz23WoF2eNRh2lQvQLPUbIQbTfRDN0fU5u2K9wbMOXP6+FF Vc1ZeDmBURV2ppAdXsQtRwXpoJgYnS7y50ha8H8wwI0+6LK+YxgqRyMN1feVCi5yfDn5 1Ulg== Received: by 10.182.8.6 with SMTP id n6mr12611640oba.39.1348587942114; Tue, 25 Sep 2012 08:45:42 -0700 (PDT) MIME-Version: 1.0 Received: by 10.182.8.6 with SMTP id n6mr12611631oba.39.1348587942022; Tue, 25 Sep 2012 08:45:42 -0700 (PDT) Received: by 10.60.39.136 with HTTP; Tue, 25 Sep 2012 08:45:41 -0700 (PDT) In-Reply-To: References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <5061C39E.1070901@bbn.com> Date: Tue, 25 Sep 2012 16:45:41 +0100 Message-ID: From: Ben Laurie To: Henry Story Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-System-Of-Record: true X-Gm-Message-State: ALoCoQnpcV7x8eLFHgasbwwkBW4twuS/9hyCRgBpZnk+SpoJkqIKtgrI/qTyOY0Spk8CNcMz3EPHGlF1j7z15F+K+m1CcUERB91FYUi6Hc5Hkg/rR+Jd1F6lwRpD7cHLR/UJN1dO6BXcJwJ2lNwlcxgmjeTFhpXVZUWu3wlEqP657nn7Zz3W/WOvYXJHwPCBRANcacrR6xAD Cc: dane@ietf.org Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 15:45:49 -0000 On 25 September 2012 16:07, Henry Story wrote: > > On 25 Sep 2012, at 16:45, Stephen Kent wrote: > >> Henry, >> >>>> WebID is not in the charter for this WG. If you want to discuss S/MIME= and WebID, you are free to do so elsewhere, of course. There is no need fo= r you to Cc this WG on that work. >>> Neither I suppose is TLS, or MIME btw, or many other standards that are= discussed on this list. But knowing that they exist has always been import= ant to IETF practice. It's called: not re-inventing the wheel. But I see yo= u have a problem with that. Sorry to have hurt your feelings. >> If you were to read the DANE charter (https://datatracker.ietf.org/wg/da= ne/charter/) >> you would see that TLS is cited 5 times, so your supposition above is wr= ong with regard to >> its first assertion. > > Thanks. But not MIME - So the point holds well enough :-) > > Anyway, the webid spec > > http://www.w3.org/2005/Incubator/webid/spec/ > > also is very clearly tied to TLS, and would benefit a lot from DANE being= deployed. So my interest in DANE is not a side issue. The strongest pushba= ck against WebID ( and so using client certificates ) is the cost of server= certificates for most players. You mean people who aren't using HTTPS to secure logins care about WebID? > ( the next strongest is the inability to logout from all but Firefox brow= sers ) Am I really the only one who cares about usability? From paul.hoffman@vpnc.org Tue Sep 25 08:55:16 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC19821F8809 for ; Tue, 25 Sep 2012 08:55:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.596 X-Spam-Level: X-Spam-Status: No, score=-102.596 tagged_above=-999 required=5 tests=[AWL=0.003, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bCNyP2rOGBH0 for ; Tue, 25 Sep 2012 08:55:15 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 93FCC21F880E for ; Tue, 25 Sep 2012 08:55:14 -0700 (PDT) Received: from [10.20.30.108] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q8PFtBBu066754 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 25 Sep 2012 08:55:11 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: Paul Hoffman In-Reply-To: Date: Tue, 25 Sep 2012 08:55:11 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <5B72FB43-C628-434B-80E0-604C28666CA9@vpnc.org> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <1CF5F888-3698-4044-BCEF-22FE7FD24AB6@vpnc.org> <8AF53C29-5B88-44E0-A3D0-62F7A4330E5D@bblfish.net> To: Ben Laurie X-Mailer: Apple Mail (2.1498) Cc: IETF DANE WG list Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 15:55:16 -0000 On Sep 25, 2012, at 8:41 AM, Ben Laurie wrote: > On 25 September 2012 16:09, Paul Hoffman = wrote: >>=20 >> On Sep 25, 2012, at 8:00 AM, Ben Laurie wrote: >>=20 >>> On 25 September 2012 15:44, Henry Story = wrote: >>>> What I don't understand yet looking at draft-hoffman-dane-smime, = is what key is going to be placed in DNS. Is it the signing key? The key = that will sign the certificates? If so that could indeed be worthwhile = putting in DNS. ( Though one could just as easily put that in http space = ). If it is to put the client certificates themselves in DNS, then that = seems much less of a good idea. >>>=20 >>> Its pretty clear it could be either of those, though I have to say = the >>> I-D doesn't really work properly in this respect. >>=20 >> Can you say more? I'm not seeing why the signing or encrypting key = would be different, but I could be missing something obvious. >>=20 >>> It inherits the Certificate Usage field from 6698 - but 6698 >>> references TLS and TLS servers and things like that. I fear the I-D >>> really needs to redefine the usages in an S/MIME context. >>=20 >> Why? Nothing in RFC 6698 says that the certificate or bare-ish key = are only for signing. In fact, signing/encrypting isn't mentioned at = all. >=20 > Not even by me! >=20 > But what is mentioned is, e.g. >=20 > "Certificate usage 0 is used to specify a CA certificate, or > the public key of such a certificate, that MUST be found in any = of > the PKIX certification paths for the end entity certificate given > by the server in TLS. " >=20 Ahhh, good point. We will definitely deal with that in our document. It = appears more subtly in a few other places in 6698 as well. --Paul Hoffman= From henry.story@bblfish.net Tue Sep 25 09:06:11 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43B8B1F0CBD for ; Tue, 25 Sep 2012 09:06:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e-kU6VVFNAgX for ; Tue, 25 Sep 2012 09:06:10 -0700 (PDT) Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by ietfa.amsl.com (Postfix) with ESMTP id 47C591F0CB0 for ; Tue, 25 Sep 2012 09:06:10 -0700 (PDT) Received: by wibhq12 with SMTP id hq12so2796756wib.13 for ; Tue, 25 Sep 2012 09:06:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=xiRHoECjUlLl38h47bjsByFdX/m+NBQqf9R7hI9C1b8=; b=kjpO5/aLGwNrKw8zQGwyocDSoRD5aluYDMvN9QQDiqHEHOjD1bfodtqemhUdL298+m hVQ1R1JBoZIotQCOChAr2PQaQcIgGk+dgtdLzIN5WaZ1b8Ih7W/HqYHY9X2mYyaCQrWO 5SUdYTkePhbnOnmnE4kpT9fZVas/1MfNjkBBzwLMrKIbFmCzet625urgQPipT+zoTvzX cd/l5I07fnw+q2suTbFUI8SOFCXzRk3oU63lO81UdcU5t3aGjzqcJDaQq0FUGf/9nlJ7 oJ4jNpYLdqo+GxpMJBjRhkg7UksGtB3msUT1riyWqP/5+MOPXslNpIVKOvFskYANk8Wm Kncw== Received: by 10.216.143.158 with SMTP id l30mr9703070wej.113.1348589169343; Tue, 25 Sep 2012 09:06:09 -0700 (PDT) Received: from bblfish.home (AAubervilliers-651-1-165-173.w81-249.abo.wanadoo.fr. [81.249.236.173]) by mx.google.com with ESMTPS id ct3sm20697472wib.5.2012.09.25.09.06.07 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 25 Sep 2012 09:06:08 -0700 (PDT) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: Henry Story In-Reply-To: Date: Tue, 25 Sep 2012 18:06:06 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <3F073866-ACE9-4A9D-939D-530BABB9B8CF@bblfish.net> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <5061C39E.1070901@bbn.com> To: Ben Laurie X-Mailer: Apple Mail (2.1498) X-Gm-Message-State: ALoCoQkODR1r7DNZjSLAmdWT9NIVwyZ+PyaUgyK+xV4bJcx6dIvWp9U4L1zyLth0Sv12C9UuxSYY Cc: dane@ietf.org Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 16:06:11 -0000 On 25 Sep 2012, at 17:45, Ben Laurie wrote: > On 25 September 2012 16:07, Henry Story = wrote: >>=20 >> On 25 Sep 2012, at 16:45, Stephen Kent wrote: >>=20 >>> Henry, >>>=20 >>>>> WebID is not in the charter for this WG. If you want to discuss = S/MIME and WebID, you are free to do so elsewhere, of course. There is = no need for you to Cc this WG on that work. >>>> Neither I suppose is TLS, or MIME btw, or many other standards that = are discussed on this list. But knowing that they exist has always been = important to IETF practice. It's called: not re-inventing the wheel. But = I see you have a problem with that. Sorry to have hurt your feelings. >>> If you were to read the DANE charter = (https://datatracker.ietf.org/wg/dane/charter/) >>> you would see that TLS is cited 5 times, so your supposition above = is wrong with regard to >>> its first assertion. >>=20 >> Thanks. But not MIME - So the point holds well enough :-) >>=20 >> Anyway, the webid spec >>=20 >> http://www.w3.org/2005/Incubator/webid/spec/ >>=20 >> also is very clearly tied to TLS, and would benefit a lot from DANE = being deployed. So my interest in DANE is not a side issue. The = strongest pushback against WebID ( and so using client certificates ) is = the cost of server certificates for most players. >=20 > You mean people who aren't using HTTPS to secure logins care about = WebID? People who are not using HTTPS to secure logins won't have very secure = logins (even passwords require protection). I am speaking about pushback = from people who are serious about security (not counting the TOR type = super security folks - but I will show that WebID works there too).=20 >=20 >> ( the next strongest is the inability to logout from all but Firefox = browsers ) >=20 > Am I really the only one who cares about usability? Firefox usability (of client certs) sucks. All the others are pretty = good, and could easily be made better by a little work from the browser = vendors. I demonstrate that very clearly in the video on = http://webid.info/ . Now why browser vendors like Firefox don't do the = few weeks work to get useability working is beyond me. I think it is = partly because they don't understand how useable they could make client = certificates with WebID.=20 Henry Social Web Architect http://bblfish.net/ From benl@google.com Tue Sep 25 09:12:18 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5AEB21F8805 for ; Tue, 25 Sep 2012 09:12:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.977 X-Spam-Level: X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SdZs5UCmbzyu for ; Tue, 25 Sep 2012 09:12:18 -0700 (PDT) Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id ED48621F8844 for ; Tue, 25 Sep 2012 09:12:06 -0700 (PDT) Received: by obqv19 with SMTP id v19so426743obq.31 for ; Tue, 25 Sep 2012 09:12:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=AJlj3UtEgZH5fHk+FONbvF/frSYSlZ76teSm95aFJok=; b=PpM2OJiVwRead1+EH5aPxgYUWn+jVpj/wsrSOzIj1ogTPjftmwKanT5S7EnpMBXi7k aim6ijW2MGBb5dVg6/rKOTCX/abkJpB3T8Oiijdgd1dURfJRg9MdoE4dNSxq2N/98RBo yL1ZbHNm+yy9g2hGzU5XSrWmABUeHUotHKSmGlsSEhGWpgzEsiz7gGBbbV/b49Y7jEse UZEE6LM+SsqOYE0obv1qP2VM5mOOUcgw6bHgsyTaKXqFzGyYYPfdciLXTMRe2wePQoKS i6in2cXhJTVyzju2FR8qbuuSCdDuZpu6a998H8MU/j4NkzG2Clpos9HgNuYpe3aWs6+p fSvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record :x-gm-message-state; bh=AJlj3UtEgZH5fHk+FONbvF/frSYSlZ76teSm95aFJok=; b=Qn7maqweuc9osmaVCWEBsVEgLizJcGoyrcZzgl5OnQx6mYEcSxSHLMhnxuSKDAgUdZ N2g5oppFLY7akbTx0ikXucVsVdm0zLubK2h2NEfaGpCmAh2TBX9dIRevIbScW9H6/qCv 6FtcHFcpjT52YgsN306PdQBFny12kTC/6M/+zo7P/hcxQBIcp1zHTt/m5SeXPqFVx+ll XNld680kaqwwy0Z4WPHs+JBrGH1PTsvpCCDlaKI6dvU00+7QwUmjXRQeXhgqhCFqJU4/ +zXzN+7xvmffYpZVA/rrXOcUesxpm5C6lomjVD19smN2KeKmZdlBPKTjJlYJCkrr3dQq JGPw== Received: by 10.60.7.169 with SMTP id k9mr12601914oea.77.1348589526520; Tue, 25 Sep 2012 09:12:06 -0700 (PDT) MIME-Version: 1.0 Received: by 10.60.7.169 with SMTP id k9mr12601903oea.77.1348589526357; Tue, 25 Sep 2012 09:12:06 -0700 (PDT) Received: by 10.60.39.136 with HTTP; Tue, 25 Sep 2012 09:12:06 -0700 (PDT) In-Reply-To: <3F073866-ACE9-4A9D-939D-530BABB9B8CF@bblfish.net> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <5061C39E.1070901@bbn.com> <3F073866-ACE9-4A9D-939D-530BABB9B8CF@bblfish.net> Date: Tue, 25 Sep 2012 17:12:06 +0100 Message-ID: From: Ben Laurie To: Henry Story Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-System-Of-Record: true X-Gm-Message-State: ALoCoQnbjih6KjvVRdENDSaxJT4AM6SNNjpu7MCFQA2jHncfYyN+CltN4mEgoSkKEMB95Ucp4B8UA0zIcHeR4vOjPIHSG2vG1sKvilqnv4wWy6jJfNuoaYCO12Y6pcmEaANAlI6wVgRbjmtgcVK2Zx70o3G+/0jZ3jyfpXQTS2lPF3pj4MZtczuaCncGvXOitT5STYFq5Qto Cc: dane@ietf.org Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 16:12:19 -0000 On 25 September 2012 17:06, Henry Story wrote: > > On 25 Sep 2012, at 17:45, Ben Laurie wrote: > >> On 25 September 2012 16:07, Henry Story wrote: >>> >>> On 25 Sep 2012, at 16:45, Stephen Kent wrote: >>> >>>> Henry, >>>> >>>>>> WebID is not in the charter for this WG. If you want to discuss S/MI= ME and WebID, you are free to do so elsewhere, of course. There is no need = for you to Cc this WG on that work. >>>>> Neither I suppose is TLS, or MIME btw, or many other standards that a= re discussed on this list. But knowing that they exist has always been impo= rtant to IETF practice. It's called: not re-inventing the wheel. But I see = you have a problem with that. Sorry to have hurt your feelings. >>>> If you were to read the DANE charter (https://datatracker.ietf.org/wg/= dane/charter/) >>>> you would see that TLS is cited 5 times, so your supposition above is = wrong with regard to >>>> its first assertion. >>> >>> Thanks. But not MIME - So the point holds well enough :-) >>> >>> Anyway, the webid spec >>> >>> http://www.w3.org/2005/Incubator/webid/spec/ >>> >>> also is very clearly tied to TLS, and would benefit a lot from DANE bei= ng deployed. So my interest in DANE is not a side issue. The strongest push= back against WebID ( and so using client certificates ) is the cost of serv= er certificates for most players. >> >> You mean people who aren't using HTTPS to secure logins care about WebID= ? > > People who are not using HTTPS to secure logins won't have very secure lo= gins (even passwords require protection). I am speaking about pushback from= people who are serious about security (not counting the TOR type super sec= urity folks - but I will show that WebID works there too). > >> >>> ( the next strongest is the inability to logout from all but Firefox br= owsers ) >> >> Am I really the only one who cares about usability? > > Firefox usability (of client certs) sucks. All the others are pretty good= , and could easily be made better by a little work from the browser vendors= . I demonstrate that very clearly in the video on http://webid.info/ . Now = why browser vendors like Firefox don't do the few weeks work to get useabil= ity working is beyond me. I think it is partly because they don't understan= d how useable they could make client certificates with WebID. Sigh. Why do I have to go over this every time? Usability in the browser is only part of the problem, the rest are things like moving between machines, dealing with revocation, migrating existing accounts and so on. From henry.story@bblfish.net Tue Sep 25 09:32:43 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B238B21F8948 for ; Tue, 25 Sep 2012 09:32:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QqHw3QmgBIQ7 for ; Tue, 25 Sep 2012 09:32:42 -0700 (PDT) Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 50F6721F8943 for ; Tue, 25 Sep 2012 09:32:42 -0700 (PDT) Received: by wgbdr13 with SMTP id dr13so3073247wgb.13 for ; Tue, 25 Sep 2012 09:32:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=uMtag32mrPE0SJQ0+0Fb3lPUBgpbgfuu9YqBh9qVEzs=; b=OwFrmYeOHH3UN+xmyriTk4AM+sWkXwgLpBQa12zTfEg6ZnkToLvYvA79k4TWmz3cwX P0YEYaZ5/Izomxxpxrns9LxsqF19kP86pxHjt/6vsgjiyxagky1XqHejCpFKjhdOn9t4 Ko+b0Uaqp/rGmr9GTLCpVbkWgl1Jqmi1TTTRSzNXIGEY4vJYHh2PgINoGTgKecOsVK7o aINPPF5c92DCBhOA27KjeWOhrXy5aGD1Mptoj3LSTbWhr+cxAK4virQ/mE6dkZMF+hyh i0pei7zZnctB+a/bnnmObo7wo1EcV1/U8uzZxpLq8NMi1ovvP3kys3AnxfMuqX/caADj 9vNA== Received: by 10.180.76.69 with SMTP id i5mr23041687wiw.9.1348590761112; Tue, 25 Sep 2012 09:32:41 -0700 (PDT) Received: from bblfish.home (AAubervilliers-651-1-165-173.w81-249.abo.wanadoo.fr. [81.249.236.173]) by mx.google.com with ESMTPS id k2sm1410361wiz.7.2012.09.25.09.32.34 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 25 Sep 2012 09:32:39 -0700 (PDT) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: Henry Story In-Reply-To: Date: Tue, 25 Sep 2012 18:32:33 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <0429D665-35A9-4608-B513-4EB955C36556@bblfish.net> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <5061C39E.1070901@bbn.com> <3F073866-ACE9-4A9D-939D-530BABB9B8CF@bblfish.net> To: Ben Laurie X-Mailer: Apple Mail (2.1498) X-Gm-Message-State: ALoCoQk9YY4mN7KE93PTFQkrDZQ2s9qInCu0zj7yaVCGDDNw3TAj7RhdQ/Ha5M2ko57YIpGDXp71 Cc: dane@ietf.org Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 16:32:43 -0000 On 25 Sep 2012, at 18:12, Ben Laurie wrote: > On 25 September 2012 17:06, Henry Story = wrote: >>=20 >> On 25 Sep 2012, at 17:45, Ben Laurie wrote: >>=20 >>> On 25 September 2012 16:07, Henry Story = wrote: >>>>=20 >>>> On 25 Sep 2012, at 16:45, Stephen Kent wrote: >>>>=20 >>>>> Henry, >>>>>=20 >>>>>>> WebID is not in the charter for this WG. If you want to discuss = S/MIME and WebID, you are free to do so elsewhere, of course. There is = no need for you to Cc this WG on that work. >>>>>> Neither I suppose is TLS, or MIME btw, or many other standards = that are discussed on this list. But knowing that they exist has always = been important to IETF practice. It's called: not re-inventing the = wheel. But I see you have a problem with that. Sorry to have hurt your = feelings. >>>>> If you were to read the DANE charter = (https://datatracker.ietf.org/wg/dane/charter/) >>>>> you would see that TLS is cited 5 times, so your supposition above = is wrong with regard to >>>>> its first assertion. >>>>=20 >>>> Thanks. But not MIME - So the point holds well enough :-) >>>>=20 >>>> Anyway, the webid spec >>>>=20 >>>> http://www.w3.org/2005/Incubator/webid/spec/ >>>>=20 >>>> also is very clearly tied to TLS, and would benefit a lot from DANE = being deployed. So my interest in DANE is not a side issue. The = strongest pushback against WebID ( and so using client certificates ) is = the cost of server certificates for most players. >>>=20 >>> You mean people who aren't using HTTPS to secure logins care about = WebID? >>=20 >> People who are not using HTTPS to secure logins won't have very = secure logins (even passwords require protection). I am speaking about = pushback from people who are serious about security (not counting the = TOR type super security folks - but I will show that WebID works there = too). >>=20 >>>=20 >>>> ( the next strongest is the inability to logout from all but = Firefox browsers ) >>>=20 >>> Am I really the only one who cares about usability? >>=20 >> Firefox usability (of client certs) sucks. All the others are pretty = good, and could easily be made better by a little work from the browser = vendors. I demonstrate that very clearly in the video on = http://webid.info/ . Now why browser vendors like Firefox don't do the = few weeks work to get useability working is beyond me. I think it is = partly because they don't understand how useable they could make client = certificates with WebID. >=20 > Sigh. Why do I have to go over this every time? I really don't know. I keep answering your questions precisely. Perhaps = you are asking them rhetorically to help me the difficult bits to new = audiences? :-) > Usability in the > browser is only part of the problem, the rest are things like moving > between machines, dealing with revocation, migrating existing accounts > and so on. But that is exactly what WebID makes simple: - moving between machines:=20 + create different certificates on each machine ( use a one time = passwords to log in if you want high security) here is a video that shows this: = http://www.youtube.com/watch?v=3DS4dlMTZhUDc ( + use crypto keys if you wanted to be seriously secure ) - dealing with revocation is easy: remove the public key from the = WebID profile you can see how easy it is to do this on this live server = https://my-profile.eu/ (that's a one click event) - migrating existing accounts: you have HTTP redirects for that =20 I think the reason people never consider 1. is that they keep thinking = of certificates as things you use to log into only one web site. So of = course if that is what it were for, then having a certificate to login = AND a password would be weird. But our position is the opposite: the = purpose of a certificate is to login to any web site you wish to - = usually not your home server. Ok, so now someone is going to barge in and say this is off topic, = probably just in time to avoid you having to answer the above points :-) But I hope those who are open to new ideas will see that there is = something odd in how there is a simple working solution to a serious = problem that is making the headlines every week, and how slow it is to = get these ideas to move along - even amongst IETF members who have = everything to gain from this working out. Henry Social Web Architect http://bblfish.net/ From rbarnes@bbn.com Tue Sep 25 09:33:11 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C9CE21F878E for ; Tue, 25 Sep 2012 09:33:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.767 X-Spam-Level: X-Spam-Status: No, score=-106.767 tagged_above=-999 required=5 tests=[AWL=-0.169, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IfXOos9b0r5l for ; Tue, 25 Sep 2012 09:33:10 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id BC9D421F8789 for ; Tue, 25 Sep 2012 09:33:10 -0700 (PDT) Received: from [128.89.255.234] (port=54502) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1TGY4G-000BdD-SV; Tue, 25 Sep 2012 12:33:05 -0400 Date: Tue, 25 Sep 2012 18:33:03 +0200 From: Richard Barnes To: Ben Laurie Message-ID: <57E1740259854F1E8FE25498CF8B1049@bbn.com> In-Reply-To: References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <5061C39E.1070901@bbn.com> <3F073866-ACE9-4A9D-939D-530BABB9B8CF@bblfish.net> X-Mailer: sparrow 1.6.3 (build 1172) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="5061dcbf_1afe3625_7b3" Cc: dane@ietf.org Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 16:33:11 -0000 --5061dcbf_1afe3625_7b3 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday, September 25, 2012 at 6:12 PM, Ben Laurie wrote: > On 25 September 2012 17:06, Henry Story wrote: > > =20 > > On 25 Sep 2012, at 17:45, Ben Laurie wrote: > > =20 > > > On 25 September 2012 16:07, Henry Story wrote: > > > > =20 > > > > On 25 Sep 2012, at 16:45, Stephen Kent wrote: > > > > =20 > > > > > Henry, > > > > > =20 > > > > > > > WebID is not in the charter for this WG. If you want to dis= cuss S/MIME and WebID, you are free to do so elsewhere, of course. There = is no need for you to Cc this WG on that work. > > > > > > Neither I suppose is TLS, or MIME btw, or many other standard= s that are discussed on this list. But knowing that they exist has always= been important to IET=46 practice. It's called: not re-inventing the whe= el. But I see you have a problem with that. Sorry to have hurt your feeli= ngs. > > > > > > =20 > > > > > =20 > > > > > If you were to read the DANE charter (https://datatracker.ietf.= org/wg/dane/charter/) > > > > > you would see that TLS is cited 5 times, so your supposition ab= ove is wrong with regard to > > > > > its first assertion. > > > > > =20 > > > > =20 > > > > =20 > > > > Thanks. But not MIME - So the point holds well enough :-) > > > > =20 > > > > Anyway, the webid spec > > > > =20 > > > > http://www.w3.org/2005/Incubator/webid/spec/ > > > > =20 > > > > also is very clearly tied to TLS, and would benefit a lot from DA= NE being deployed. So my interest in DANE is not a side issue. The strong= est pushback against WebID ( and so using client certificates ) is the co= st of server certificates for most players. > > > =20 > > > You mean people who aren't using HTTPS to secure logins care about = WebID=3F > > =20 > > People who are not using HTTPS to secure logins won't have very secur= e logins (even passwords require protection). I am speaking about pushbac= k from people who are serious about security (not counting the TOR type s= uper security folks - but I will show that WebID works there too). > > =20 > > > =20 > > > > ( the next strongest is the inability to logout from all but =46i= refox browsers ) > > > =20 > > > Am I really the only one who cares about usability=3F > > =20 > > =46irefox usability (of client certs) sucks. All the others are prett= y good, and could easily be made better by a little work from the browser= vendors. I demonstrate that very clearly in the video on http://webid.in= fo/ . Now why browser vendors like =46irefox don't do the few weeks work = to get useability working is beyond me. I think it is partly because they= don't understand how useable they could make client certificates with We= bID. > =20 > Sigh. Why do I have to go over this every time=3F Usability in the > browser is only part of the problem, the rest are things like moving > between machines, dealing with revocation, migrating existing accounts > and so on. > =20 > =20 =E2=80=A6 none of which are germane to DANE. --Richard =20 --5061dcbf_1afe3625_7b3 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline
On T= uesday, September 25, 2012 at 6:12 PM, Ben Laurie wrote:
On 25 September 2012 17:06, Henr= y Story <henry.story=40= bblfish.net> wrote:
<= br>
On 25 Sep 2012, at 17:45, Ben Laurie <benl=40google.com> wrote:

On 25 September 2012 16:07, He= nry Story <henry.stor= y=40bblfish.net> wrote:

On 25 Sep 2012, at 16:45, Stephen Kent <kent=40bbn.com> wrote:

Henry,

WebID i= s not in the charter for this WG. If you want to discuss S/MIME and WebID= , you are free to do so elsewhere, of course. There is no need for you to= Cc this WG on that work.
Neither I suppose is TLS= , or MIME btw, or many other standards that are discussed on this list. B= ut knowing that they exist has always been important to IET=46 practice. = It's called: not re-inventing the wheel. But I see you have a problem wit= h that. Sorry to have hurt your feelings.
If= you were to read the DANE charter (https://datatracker.ietf.org/wg/dane/charter/)
=




<= /div>
also is very clearly tied to TLS, and would benefit a lot from = DANE being deployed. So my interest in DANE is not a side issue. The stro= ngest pushback against WebID ( and so using client certificates ) is the = cost of server certificates for most players.

You mean people who aren't using HTTPS to secure logins = care about WebID=3F

People wh= o are not using HTTPS to secure logins won't have very secure logins (eve= n passwords require protection). I am speaking about pushback from people= who are serious about security (not counting the TOR type super security= folks - but I will show that WebID works there too).


( the next strongest is the inability to logout from all but= =46irefox browsers )

Am I really t= he only one who cares about usability=3F
=46irefox usability (of client certs) sucks. All the others a= re pretty good, and could easily be made better by a little work from the= browser vendors. I demonstrate that very clearly in the video on http://webid.info/ . Now why browser vendo= rs like =46irefox don't do the few weeks work to get useability working i= s beyond me. I think it is partly because they don't understand how useab= le they could make client certificates with WebID.

Sigh. Why do I have to go over this every time=3F U= sability in the
browser is only part of the problem, the rest a= re things like moving
between machines, dealing with revocation= , migrating existing accounts
and so on.
=E2=80=A6 none of which are germane to DANE.

--Richard 

--5061dcbf_1afe3625_7b3-- From dan-ietf@danyork.org Tue Sep 25 10:44:33 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D96D221F87F3 for ; Tue, 25 Sep 2012 10:44:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.998 X-Spam-Level: X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U1n43qiYQZwB for ; Tue, 25 Sep 2012 10:44:33 -0700 (PDT) Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id CEC0821F87E7 for ; Tue, 25 Sep 2012 10:44:32 -0700 (PDT) Received: by qabj40 with SMTP id j40so318908qab.10 for ; Tue, 25 Sep 2012 10:44:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=51EjLMpvuaRe94IhPSFaNVoA+2nA0PlFStwC82+z45w=; b=AiQcCwr/uS+1D0ucwytYIhtQsF0sacvry6LzLAfge4659+Rob/9YGwIMKXz+n35bRA YJhppH4dcG47o8f5IG4FxKreGom1WbV6V1yAmrHhNwI+DIFoDso4xGCc4fQAAjLTTeX6 BZ8K3nGrAuJu9AjUzPnAbWHR885f0hKNnA6acKEpJxA/bp3IccsKhYg911e6GYMBPr0j 7YyO+z0qd/xkV7tmtzy8/+IHC53EhyrKFRYSQ6Vw7UzVAOxtDcCuepBH0Li9BXW8f0Az YhvrtD58cpSe9mctTwMHqTVJ8zM8M0ppH/PvyTyASdGJZbHfAilXZKxzkIHV0mS1oZwS x9Ww== Received: by 10.229.136.208 with SMTP id s16mr11636396qct.112.1348595072035; Tue, 25 Sep 2012 10:44:32 -0700 (PDT) Received: from ?IPv6:2001:470:1f07:309:c985:582a:dc5b:4c9c? ([2001:470:1f07:309:c985:582a:dc5b:4c9c]) by mx.google.com with ESMTPS id d11sm1490005qaj.18.2012.09.25.10.44.30 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 25 Sep 2012 10:44:31 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: multipart/alternative; boundary="Apple-Mail=_9F6F955B-BEFC-4332-93B1-E89C5CAFAB8C" From: Dan York In-Reply-To: <6E1939C1-E3EB-4A00-B553-7A0EF640C01A@bblfish.net> Date: Tue, 25 Sep 2012 13:44:28 -0400 Message-Id: References: <6E1939C1-E3EB-4A00-B553-7A0EF640C01A@bblfish.net> To: Henry Story X-Mailer: Apple Mail (2.1257) X-Gm-Message-State: ALoCoQlMaU/Ts8heewBaQugGPRixpMtZPlibaWGdZxwkQlS5oljPjRNnUJe/9jIM1ZIb9XFocXDt Cc: IETF DANE WG list Subject: Re: [dane] deployment of DANE X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 17:44:34 -0000 --Apple-Mail=_9F6F955B-BEFC-4332-93B1-E89C5CAFAB8C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii So in a funny bit of synchronicity, I just turned to my mail client to = write basically this exact message that Henry sent this morning: On Sep 25, 2012, at 4:13 AM, Henry Story wrote: > Any feedback on advances on deployment of DANE in browsers? >=20 > Are there any browsers that support this already, are working on it?=20= I also am very interested in this info. My work is with the Internet = Society's Deploy360 Programme ( = http://www.internetsociety.org/deploy360/ ) where our focus is on = promoting materials and information to accelerate the deployment of = DNSSEC and IPv6. I have lately been promoting the work of this (DANE) = working group in recent presentations at conferences and there has been = quite a good bit of interest in DANE. I see DANE as providing an = excellent reason for companies and organizations to deploy DNSSEC (in = fact perhaps *THE* reason for some companies) and it finally gives us a = way to talk about how DNSSEC and TLS/SSL can complement each other to = provide a more secure solution. But... if there's no timeframe for seeing DANE actually deployed in = browsers... then... I'm winding up setting expectations for something = that may not happen. :-( Any info about there on getting it in Chrome? Firefox? Opera? IE? = Safari? Any and all info would be greatly appreciated. Thanks, Dan --=20 Dan York dyork@lodestar2.com http://www.danyork.me/ skype:danyork Phone: +1-802-735-1624 Twitter - http://twitter.com/danyork --Apple-Mail=_9F6F955B-BEFC-4332-93B1-E89C5CAFAB8C Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii So in = a funny bit of synchronicity, I just turned to my mail client to write = basically this exact message that Henry sent this = morning:

On Sep 25, 2012, at 4:13 AM, Henry Story = wrote:

Any feedback on advances on deployment of DANE in = browsers?

Are there any browsers that support this already, are = working on it?

I also am very = interested in this info.  My work is with the Internet Society's = Deploy360 Programme ( http://www.internetsoci= ety.org/deploy360/ ) where our focus is on promoting materials and = information to accelerate the deployment of DNSSEC and IPv6.  I = have lately been promoting the work of this (DANE) working group in = recent presentations at conferences and there has been quite a good bit = of interest in DANE.  I see DANE as providing an excellent reason = for companies and organizations to deploy DNSSEC (in fact perhaps *THE* = reason for some companies) and it finally gives us a way to talk about = how DNSSEC and TLS/SSL can complement each other to provide a more = secure solution.

But... if there's no timeframe = for seeing DANE actually deployed in browsers... then... I'm winding up = setting expectations for something that may not happen. = :-(

Any info about there on getting it in = Chrome? Firefox? Opera? IE? Safari?

Any and all = info would be greatly = appreciated.

Thanks,
Dan

-- 
Dan York  dyork@lodestar2.com
http://www.danyork.me/  &nbs= p;skype:danyork
Phone: = +1-802-735-1624
Twitter - http://twitter.com/danyork
In-Reply-To: Date: Tue, 25 Sep 2012 15:06:52 -0400 Message-Id: <57867BCC-8E8C-4F5A-9A83-0A31652CD71F@danyork.org> References: <50609A03.1050507@ogud.com> To: Tony Finch X-Mailer: Apple Mail (2.1257) X-Gm-Message-State: ALoCoQnp3zGWyD33i5St9hQVBa0w0Sx+cMvepBEsgELl/F078+5MVk+d7mxX/XMWg0yi9uyBNkOq Cc: dane@ietf.org Subject: Re: [dane] Reusing TLSA X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 19:06:57 -0000 --Apple-Mail=_3614C0D8-0A56-4920-AC67-0EC29507B434 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Sep 24, 2012, at 7:32 PM, Tony Finch wrote: > * Would sharing an RRtype lead to useful code sharing between S/MIME = and > TLS implementations? >=20 >> Reuse of TLSA RR by a protocol means subscribing to supporting new >> entries in the above registries and even allowing new entries in = there >> that only make sense in one context. >=20 > TLS is about authenticating peers. S/MIME is about encryption as well = as > verifying signatures. So I would expect TLS records to be more about > digests of certificates (for brevity) whereas S/MIME records to = contain > public keys or entire certs. As I've been reading this whole conversation I've been struggling with = this last kind of point in my brain, mostly because I think of this not = in terms of "Using DANE with S/MIME" but rather in terms of "Using DANE = with $foo" where S/MIME is merely one of hopefully many different = protocols that could work with DANE. (My own personal interest, coming = from the VoIP space, is in seeing how it might someday work with SIP.) I keep coming to three questions: 1. What is the easiest option for developers creating applications? 2. What is the easiest option for infrastructure operators who may be = barriers to having those applications work? 3. What is the easiest option for DNS hosting providers where DNS = records may be entered? My worry with #2 is that if we have a proliferation of RRtypes for each = value of $foo, we'll wind up with a situation where some infrastructure = components (ex. aggressive firewalls) may need to be changed to allow = each RRtype to be allowed through. Similarly for #3, a graphical user = interface where people enter records would need to be changed to support = each new RRtype. Some DNS hosting providers might do this quickly, some = wouldn't. Either way it's work they have to do. Sticking with a single RRtype for any "DANE" usage would make these = parts far simpler. Get them to support the "TLSA" record and they're = done. Likewise, for application developers, the use of a single RRtype would = potentially allow sharing of code between different $foo = implementations. BUT... to Tony's last point, are we in fact making it *harder* for = developers by overloading the TLSA RRtype with different types of = content? Or is that adequately addressed by having the second left-most = label in the domain name (ex. "_smimecert") be the way that a developer = would know what is in the TLSA RR and therefore how it should be = processed? Still pondering all this, Dan --=20 Dan York dyork@lodestar2.com http://www.danyork.me/ skype:danyork Phone: +1-802-735-1624 Twitter - http://twitter.com/danyork --Apple-Mail=_3614C0D8-0A56-4920-AC67-0EC29507B434 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
* Would sharing an RRtype = lead to useful code sharing between S/MIME and
TLS = implementations?

Reuse of TLSA RR by a = protocol means subscribing to supporting new
entries in the above registries and even allowing new = entries in there
that only = make sense in one context.

TLS is about = authenticating peers. S/MIME is about encryption as well as
verifying = signatures. So I would expect TLS records to be more about
digests of = certificates (for brevity) whereas S/MIME records to contain
public = keys or entire certs.

As I've = been reading this whole conversation I've been struggling with this last = kind of point in my brain, mostly because I think of this not in terms = of "Using DANE with S/MIME" but rather in terms of "Using DANE with = $foo" where S/MIME is merely one of hopefully many different protocols = that could work with DANE. (My own personal interest, coming from the = VoIP space, is in seeing how it might someday work with = SIP.)

I keep coming to three = questions:

1. What is the easiest option for = developers creating applications?
2. What is the easiest = option for infrastructure operators who may be barriers to having those = applications work?
3. What is the easiest option for DNS = hosting providers where DNS records may be = entered?

My worry with #2 is that if we have a = proliferation of RRtypes for each value of $foo, we'll wind up with a = situation where some infrastructure components (ex. aggressive = firewalls) may need to be changed to allow each RRtype to be allowed = through.  Similarly for #3, a graphical user interface where people = enter records would need to be changed to support each new RRtype. =  Some DNS hosting providers might do this quickly, some wouldn't. = Either way it's work they have to do.

Sticking = with a single RRtype for any "DANE" usage would make these parts far = simpler.  Get them to support the "TLSA" record and they're = done.

Likewise, for application developers, the = use of a single RRtype would potentially allow sharing of code between = different $foo implementations.

BUT... to = Tony's last point, are we in fact making it *harder* for developers by = overloading the TLSA RRtype with different types of content?  Or is = that adequately addressed by having the second left-most label in the = domain name (ex. "_smimecert") be the way that a developer would know = what is in the TLSA RR and therefore how it should be = processed?

Still pondering all = this,
Dan

-- 
Dan York  dyork@lodestar2.com
http://www.danyork.me/  &nbs= p;skype:danyork
Phone: = +1-802-735-1624
Twitter - http://twitter.com/danyork
X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D27721F8793 for ; Wed, 26 Sep 2012 01:46:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.977 X-Spam-Level: X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id trzGHVwyTqCV for ; Wed, 26 Sep 2012 01:46:06 -0700 (PDT) Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44]) by ietfa.amsl.com (Postfix) with ESMTP id 7E83221F8425 for ; Wed, 26 Sep 2012 01:46:06 -0700 (PDT) Received: by oagn5 with SMTP id n5so393128oag.31 for ; Wed, 26 Sep 2012 01:46:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record; bh=ie6duJ+FPNgFMngXp4kEUlWNjiU9BM3CLYt7UhAiLEc=; b=fVDy9tYJdv7J8cbeN/i12EZz5y2/n3fqEjJr0uRQYUyQ+9A3WPbw16r4rShgMpRwBo uxAO6sn96yJeMaU6zYYz+VBUqaJw00Ni90UpIjsX5vU7YuqZ+nOZlXceUY2jCqPid41d xOCR/d1JAKy7qBSQ9k4Ri7UN0vIEVeH19XXjLBNkxHkg/LbvTl+53/Pgdam/0mZwtBYo ICmXV8Vqs7Yt4v2o+PqhlS0l2wwqCX4YsMDsDYE3g1sk55+VTHors7QpUupevIJdrsc0 z7XUDawKJvCUUm6NiqQ2vcf5WYsLXC2iT+AycYLyEMNFO5oZ20rzmIMr/a3otUXBZhEg C+JA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record:x-gm-message-state; bh=ie6duJ+FPNgFMngXp4kEUlWNjiU9BM3CLYt7UhAiLEc=; b=Tm/c3K8hK7jECuT7Tc+OEuAYEY3FlxUV4c+c3AFtKoS07tMQPqFk2U1Z1+KTgejwgf loRGUbRUMw8fta+p1TNrSsKxcwH5as5j3WRkmexK3p7VEFhvlBpaEb9k22H+imaelNMy 1haC+YPq/1KWbEmKRuYhtlKzPfYPvNRWlzH4kmAew1G/4yzF9t/bzWPeOP96ieb9aOIX IaP1ntiqgifVV05HtQJbfjgB6320n7CSBIokN09Kw8lvc0l6ACPRyS2ZQO647KEJL0Ro fI+bPTLgggMs4KQZ3uV1FEwHsl/mTSF63Hm+EqjA9BwtSOG1Br2UGIZyfESl69NSg0KB +prg== Received: by 10.182.131.106 with SMTP id ol10mr10816773obb.91.1348649165623; Wed, 26 Sep 2012 01:46:05 -0700 (PDT) MIME-Version: 1.0 Received: by 10.182.131.106 with SMTP id ol10mr10816765obb.91.1348649165508; Wed, 26 Sep 2012 01:46:05 -0700 (PDT) Received: by 10.60.39.136 with HTTP; Wed, 26 Sep 2012 01:46:05 -0700 (PDT) In-Reply-To: <2D645BD5-3501-4182-AB5B-035240F464AA@vpnc.org> References: <50609A03.1050507@ogud.com> <57867BCC-8E8C-4F5A-9A83-0A31652CD71F@danyork.org> <2D645BD5-3501-4182-AB5B-035240F464AA@vpnc.org> Date: Wed, 26 Sep 2012 09:46:05 +0100 Message-ID: From: Ben Laurie To: Paul Hoffman Content-Type: text/plain; charset=ISO-8859-1 X-System-Of-Record: true X-Gm-Message-State: ALoCoQm57t0Pdt9F7CYeCV44fMjElAjPfCVUv5cWoHM6bvRIX5xcFmH8loqDM1k676ySNm+3S2qS5f+vpoFJhJqReUyqFg4VWpyB2CjVPIvlBQEqGsA7DUoW5Ld4qsjPOGPpX9wXfBw2rziymD3QaRjntbt5WSPQKrvVaKbP5Vm7rE0ytV59HQGQ2Oy5xzaEBF5V5xWzggL9 Cc: IETF DANE WG list Subject: Re: [dane] Reusing TLSA X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2012 08:46:07 -0000 On 25 September 2012 23:32, Paul Hoffman wrote: > On Sep 25, 2012, at 12:06 PM, Dan York wrote: > >> BUT... to Tony's last point, are we in fact making it *harder* for developers by overloading the TLSA RRtype with different types of content? > > No, because the types of content are identical. They are not, as I just pointed out in the other thread. >> Or is that adequately addressed by having the second left-most label in the domain name (ex. "_smimecert") be the way that a developer would know what is in the TLSA RR and therefore how it should be processed? > > That's not content, that's the request you used to get the content. > > As Ben pointed out earlier, we need to make a few changes saying "where DANE talks about a chain sent by the server, this document is talking about a chain sent by the other party". But the contents are the same. You could argue that all RRs merely contain bytes, so their contents are "the same". If they mean different things, then they're not _really_ the same. It could be that TLSA could be redrafted to fix this problem. From paul.hoffman@vpnc.org Wed Sep 26 07:56:12 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4751421F87B9 for ; Wed, 26 Sep 2012 07:56:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.596 X-Spam-Level: X-Spam-Status: No, score=-102.596 tagged_above=-999 required=5 tests=[AWL=0.003, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zjZdjv6a38FC for ; Wed, 26 Sep 2012 07:56:11 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id B342921F8629 for ; Wed, 26 Sep 2012 07:56:11 -0700 (PDT) Received: from [10.20.30.108] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q8QEu7DF016029 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 26 Sep 2012 07:56:08 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: Paul Hoffman In-Reply-To: Date: Wed, 26 Sep 2012 07:56:09 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <19800D41-820B-4256-8C41-0B6854A34AD3@vpnc.org> References: <50609A03.1050507@ogud.com> <57867BCC-8E8C-4F5A-9A83-0A31652CD71F@danyork.org> <2D645BD5-3501-4182-AB5B-035240F464AA@vpnc.org> To: Ben Laurie X-Mailer: Apple Mail (2.1498) Cc: IETF DANE WG list Subject: Re: [dane] Reusing TLSA X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2012 14:56:12 -0000 On Sep 26, 2012, at 1:46 AM, Ben Laurie wrote: > On 25 September 2012 23:32, Paul Hoffman = wrote: >> On Sep 25, 2012, at 12:06 PM, Dan York wrote: >>=20 >>> BUT... to Tony's last point, are we in fact making it *harder* for = developers by overloading the TLSA RRtype with different types of = content? >>=20 >> No, because the types of content are identical. >=20 > They are not, as I just pointed out in the other thread. Unless I missed it (certainly a possibility), what you pointed out was = different semantics for identical content. That is, where the RFC talks = about the trust anchor for the server, and chains sent by the server, we = need to change that to trust anchors used by, and chains sent by, the = sending party. No bits on the wire change, right? >>> Or is that adequately addressed by having the second left-most label = in the domain name (ex. "_smimecert") be the way that a developer would = know what is in the TLSA RR and therefore how it should be processed? >>=20 >> That's not content, that's the request you used to get the content. >>=20 >> As Ben pointed out earlier, we need to make a few changes saying = "where DANE talks about a chain sent by the server, this document is = talking about a chain sent by the other party". But the contents are the = same. >=20 > You could argue that all RRs merely contain bytes, so their contents > are "the same". No, you can't. The TLSA RR has particular fields with particular = structure. That structure is identical in SMIMEA. > If they mean different things, then they're not > _really_ the same. Nor do they need to be _really_ the same, just have the same format. > It could be that TLSA could be redrafted to fix this problem. It sounds like that a new RFC can update the TLSA draft. That's exactly = what we are proposing. :-) --Paul Hoffman= From benl@google.com Wed Sep 26 08:06:23 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2F3321F8658 for ; Wed, 26 Sep 2012 08:06:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.977 X-Spam-Level: X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tcLhSLIp887V for ; Wed, 26 Sep 2012 08:06:22 -0700 (PDT) Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 5E41221F84C4 for ; Wed, 26 Sep 2012 08:06:22 -0700 (PDT) Received: by obqv19 with SMTP id v19so833073obq.31 for ; Wed, 26 Sep 2012 08:06:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=bHZU2jOHC4VJsnO7GMMTuVCiBY6wDWkd8An3qWmIdA0=; b=cjN032iy5UbBn4qLwanGeVSaMUy2EHY/WuilkxPkNLMG0mQEnLwFIsIYZnoy2/5Yok NaymOF8APSKIbUX0uObdHiTEU2/2ZmHylKCK2Q4WPDK6/c1xRHjSRUeR3X6NFuMGey4w JAm6kHtz+WuBq1VmRvr/je5Ottqvg9vO6VvTwVKxvfntMewdlHK7ngQYMz1CzEudUnak rIKBKI5EUi6fxyND8ENjTSd/8N53UEnnQSMYmL2JAM1nd3zEemxU9ZW/0YLi75g+cpyC kTg7hz5YEOKGHCvUFfN4AojjeuWxPoJFN+luxdMbu0Dc2mvdgLq6oktQcKFK+jEuaoKa syKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record :x-gm-message-state; bh=bHZU2jOHC4VJsnO7GMMTuVCiBY6wDWkd8An3qWmIdA0=; b=VXYo5h6oMG3fAc7e3nttYiSbyc0ktT93tu6c811ugcUz+foTJKfoCB1u2kyKvIwaEv 3peVz6dkYOuEarOw4L/XgzG7gJwnsD+ZlujOj5rXV7uJDEDasTOXP6LCHkfa9n3cGAzm 0A26JJTwTTbPJbBeHhsYOTzuBT9zfdGV1QCZbXDb1rGDxEdsp3RaCjUzIHAm9+PBo290 bLKLm+c6Im4/kLustnlK9S8Y92FxCgk7L6a+wbg1/uiMv8uKWKok+7bh3l/zd8or268d BXdrkTJxQvKw94PYSr4RXDK1UlFDIu8xeD3X4lav04m/sJDpNnUH5TATgqjPRQWER/9/ v1Nw== Received: by 10.60.20.197 with SMTP id p5mr692036oee.32.1348671974976; Wed, 26 Sep 2012 08:06:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.60.20.197 with SMTP id p5mr692026oee.32.1348671974866; Wed, 26 Sep 2012 08:06:14 -0700 (PDT) Received: by 10.60.39.136 with HTTP; Wed, 26 Sep 2012 08:06:14 -0700 (PDT) In-Reply-To: <19800D41-820B-4256-8C41-0B6854A34AD3@vpnc.org> References: <50609A03.1050507@ogud.com> <57867BCC-8E8C-4F5A-9A83-0A31652CD71F@danyork.org> <2D645BD5-3501-4182-AB5B-035240F464AA@vpnc.org> <19800D41-820B-4256-8C41-0B6854A34AD3@vpnc.org> Date: Wed, 26 Sep 2012 16:06:14 +0100 Message-ID: From: Ben Laurie To: Paul Hoffman Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-System-Of-Record: true X-Gm-Message-State: ALoCoQm3PSH9TbYhtVGJ4XL0iZ/Y93KpSw3+uvI7nis0were5xcpL7JX7a8rwpxVpyBd6bP/zKdLVMua5gkSk7LACz4cmSqd8YDfiLnM5tfM6+G7dzDyh/Jm42XK5wxP8nFvAg4dbcMYpd/UwACz8pW0LSvgWhRs11bqf6pEH1w7nMOxVv0qOpKDNu0LdArUAzG6xO90EXea Cc: IETF DANE WG list Subject: Re: [dane] Reusing TLSA X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2012 15:06:23 -0000 On 26 September 2012 15:56, Paul Hoffman wrote: > On Sep 26, 2012, at 1:46 AM, Ben Laurie wrote: > >> On 25 September 2012 23:32, Paul Hoffman wrote: >>> On Sep 25, 2012, at 12:06 PM, Dan York wrote: >>> >>>> BUT... to Tony's last point, are we in fact making it *harder* for dev= elopers by overloading the TLSA RRtype with different types of content? >>> >>> No, because the types of content are identical. >> >> They are not, as I just pointed out in the other thread. > > Unless I missed it (certainly a possibility), what you pointed out was di= fferent semantics for identical content. That is, where the RFC talks about= the trust anchor for the server, and chains sent by the server, we need to= change that to trust anchors used by, and chains sent by, the sending part= y. No bits on the wire change, right? > >>>> Or is that adequately addressed by having the second left-most label i= n the domain name (ex. "_smimecert") be the way that a developer would know= what is in the TLSA RR and therefore how it should be processed? >>> >>> That's not content, that's the request you used to get the content. >>> >>> As Ben pointed out earlier, we need to make a few changes saying "where= DANE talks about a chain sent by the server, this document is talking abou= t a chain sent by the other party". But the contents are the same. >> >> You could argue that all RRs merely contain bytes, so their contents >> are "the same". > > No, you can't. The TLSA RR has particular fields with particular structur= e. That structure is identical in SMIMEA. > >> If they mean different things, then they're not >> _really_ the same. > > Nor do they need to be _really_ the same, just have the same format. > >> It could be that TLSA could be redrafted to fix this problem. > > It sounds like that a new RFC can update the TLSA draft. That's exactly w= hat we are proposing. :-) I am more than happy for our different brands of pendantry to coexist in this case :-) From dan-ietf@danyork.org Wed Sep 26 08:34:29 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA18621F845A for ; Wed, 26 Sep 2012 08:34:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.998 X-Spam-Level: X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vCjo0wq2V2BI for ; Wed, 26 Sep 2012 08:34:28 -0700 (PDT) Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id C36DB21F844E for ; Wed, 26 Sep 2012 08:34:19 -0700 (PDT) Received: by qaec10 with SMTP id c10so5437141qae.10 for ; Wed, 26 Sep 2012 08:34:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=dq0UIJcq5cSv8a3eRnDRLkIV7kggU8Qe9VtMORngpEQ=; b=R4I26zoEgPpsSPelpzMoJE4py6zjvAChnl0B8MJ9Qaa4pB4+/rOstVw591wxyGyut/ R5xG62lu0S82XkJsbmwcjgxylorfXExO6EOqKZ3JSobiOqNAKkFK9Ma2vO+Z69sjl+s1 rOgDTMkgoAO4Dy9rrISv25dXBZbSoetFpLCpoWuLOYrMtbioOL2RidTSUUDGOIn3W52J 77yi8jvJi0O2wqbdzHU8VxV7U2B2tXPrNw4XyyjdHmw/39U7RQbJaNWdIH765jW2BFTp RKqN4ofGdt764QBtwcGfKJZYfvOhp3+TzM5XBybfQvOP4w3sgpUCGJFqJ6k9JC7jW+/k a24g== Received: by 10.229.137.70 with SMTP id v6mr586401qct.69.1348673659174; Wed, 26 Sep 2012 08:34:19 -0700 (PDT) Received: from ?IPv6:2001:470:1f07:309:e55d:fa6b:c47b:a985? ([2001:470:1f07:309:e55d:fa6b:c47b:a985]) by mx.google.com with ESMTPS id ck18sm5106201qab.7.2012.09.26.08.34.17 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 26 Sep 2012 08:34:18 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: multipart/alternative; boundary="Apple-Mail=_212E18C2-13BF-4396-A43B-8E7DD2242133" From: Dan York In-Reply-To: <19800D41-820B-4256-8C41-0B6854A34AD3@vpnc.org> Date: Wed, 26 Sep 2012 11:34:16 -0400 Message-Id: References: <50609A03.1050507@ogud.com> <57867BCC-8E8C-4F5A-9A83-0A31652CD71F@danyork.org> <2D645BD5-3501-4182-AB5B-035240F464AA@vpnc.org> <19800D41-820B-4256-8C41-0B6854A34AD3@vpnc.org> To: Paul Hoffman X-Mailer: Apple Mail (2.1257) X-Gm-Message-State: ALoCoQmzR358Wukop8zhNoSSIBRsGPy3Zi9VfxVmFvjMC3evZwYXiGhX0MiEgPDKOHw08lu9P4qX Cc: IETF DANE WG list Subject: Re: [dane] Reusing TLSA X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2012 15:34:29 -0000 --Apple-Mail=_212E18C2-13BF-4396-A43B-8E7DD2242133 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Paul,=20 On Sep 26, 2012, at 10:56 AM, Paul Hoffman wrote: > On Sep 26, 2012, at 1:46 AM, Ben Laurie wrote: >=20 >> On 25 September 2012 23:32, Paul Hoffman = wrote: >>> On Sep 25, 2012, at 12:06 PM, Dan York wrote: >>>=20 >>>> BUT... to Tony's last point, are we in fact making it *harder* for = developers by overloading the TLSA RRtype with different types of = content? >>>=20 >>> No, because the types of content are identical. >>=20 >> They are not, as I just pointed out in the other thread. >=20 > Unless I missed it (certainly a possibility), what you pointed out was = different semantics for identical content. That is, where the RFC talks = about the trust anchor for the server, and chains sent by the server, we = need to change that to trust anchors used by, and chains sent by, the = sending party. No bits on the wire change, right? My comments were reacting largely to Tony's comment about the content of = the TLSA record: > TLS is about authenticating peers. S/MIME is about encryption as well = as > verifying signatures. So I would expect TLS records to be more about > digests of certificates (for brevity) whereas S/MIME records to = contain > public keys or entire certs. To me it just seemed that there could be app developer confusion if in = the one case the TLSA record is a digest of a certificate and in another = case the TLSA record might be a full certificate. Having said that, I've now gone back and re-read RFC 6698 and seen = clearly that this is all covered with the Matching Type field in section = 2.1.3 and so any "DANE implementation" needs to be able to understand = both the digest and the full certificate. So consider my comments withdrawn.... and thanks for the replies that = forced me to deepen my understanding of the DANE protocol. :-) Dan --=20 Dan York dyork@lodestar2.com http://www.danyork.me/ skype:danyork Phone: +1-802-735-1624 Twitter - http://twitter.com/danyork --Apple-Mail=_212E18C2-13BF-4396-A43B-8E7DD2242133 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
On = Sep 26, 2012, at 1:46 AM, Ben Laurie <benl@google.com> = wrote:

On 25 September 2012 23:32, Paul = Hoffman <paul.hoffman@vpnc.org> = wrote:
On Sep 25, 2012, at 12:06 PM, Dan York <dan-ietf@danyork.org> = wrote:

BUT... = to Tony's last point, are we in fact making it *harder* for developers = by overloading the TLSA RRtype with different types of = content?

No, because the types of content = are identical.

They are not, = as I just pointed out in the other thread.

Unless I = missed it (certainly a possibility), what you pointed out was different = semantics for identical content. That is, where the RFC talks about the = trust anchor for the server, and chains sent by the server, we need to = change that to trust anchors used by, and chains sent by, the sending = party. No bits on the wire change, = right?

My comments were reacting = largely to Tony's comment about the content of the TLSA = record:

> TLS is about authenticating = peers. S/MIME is about encryption as well as
> verifying = signatures. So I would expect TLS records to be more about
> = digests of certificates (for brevity) whereas S/MIME records to = contain
> public keys or entire certs.

To = me it just seemed that there could be app developer confusion if in the = one case the TLSA record is a digest of a certificate and in another = case the TLSA record might be a full = certificate.

Having said that, I've now gone = back and re-read RFC 6698 and seen clearly that this is all covered with = the Matching Type field in section 2.1.3 and so any "DANE = implementation" needs to be able to understand both the digest and the = full certificate.

So consider my comments = withdrawn.... and thanks for the replies that forced me to deepen my = understanding of the DANE protocol. = :-)

Dan

-- 
Dan York  dyork@lodestar2.com
http://www.danyork.me/  &nb= sp;skype:danyork
Phone: = +1-802-735-1624
Twitter - http://twitter.com/danyork

= --Apple-Mail=_212E18C2-13BF-4396-A43B-8E7DD2242133-- From dan-ietf@danyork.org Wed Sep 26 11:27:35 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E7F021F8584 for ; Wed, 26 Sep 2012 11:27:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.998 X-Spam-Level: X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O6WHxQ4Q3pB8 for ; Wed, 26 Sep 2012 11:27:34 -0700 (PDT) Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 7C54A21F8582 for ; Wed, 26 Sep 2012 11:27:34 -0700 (PDT) Received: by qaec10 with SMTP id c10so5614811qae.10 for ; Wed, 26 Sep 2012 11:27:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:content-type:subject:date:message-id:to:mime-version:x-mailer :x-gm-message-state; bh=nYQUEMQUkvXENPLik7+7sxN9nuhnS8iD7aneanUnpF0=; b=esaHLzO4WAX4lMhgHppNoQV44utoAy+07irTIpBz0UFWwdPifl7CnFbeHyxmMBZchg G1R0AB/nK/zOCL/gVTRwwYKqWzkehKLoslKFvVB3V8963u86eVcNM+cU0fR+NLxW40vj ThbfXgLcrWu676LbMv0mM6SIOGOJpnLDE2CAfTUujldX+3t1RlqFZQsRze8Dx9KSrbsS XAziqzC74EViYBAmqkJOJxZuqL4LVTs97BvPf6eIzjgzjy1yOxUtZYNSJePN6NE1atd1 cBT+VRTaz0abGPpR11ZnDzV3HmFsg3aIgz4WPEiAPM8IvoN4OfZ4Oz3djIiQwbe+T70a kzZw== Received: by 10.224.187.146 with SMTP id cw18mr3972995qab.35.1348684053899; Wed, 26 Sep 2012 11:27:33 -0700 (PDT) Received: from [172.20.12.152] (cpe-74-75-92-114.maine.res.rr.com. [74.75.92.114]) by mx.google.com with ESMTPS id o17sm5598589qao.14.2012.09.26.11.27.27 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 26 Sep 2012 11:27:33 -0700 (PDT) From: Dan York Content-Type: multipart/alternative; boundary="Apple-Mail=_C88D7DEC-D609-4A04-8CBB-C1824B28903C" Date: Wed, 26 Sep 2012 14:27:26 -0400 Message-Id: <699F0F4D-3E06-44F5-88A4-40C1FC569E98@danyork.org> To: IETF DANE WG list Mime-Version: 1.0 (Apple Message framework v1257) X-Mailer: Apple Mail (2.1257) X-Gm-Message-State: ALoCoQlVv4CAso6mdUAaT6xV2Tx0HTr1YLjryU+cU2G3j1k4h9tdGdBxxF8PW97H1DOPTSw6bh6r Subject: [dane] Anyone interested in writing a DANE tutorial? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2012 18:27:35 -0000 --Apple-Mail=_C88D7DEC-D609-4A04-8CBB-C1824B28903C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On Tue, 25 Sep 2012, Warren Kumari wrote: > Something that would be very helpful for getting this deployed / > implemented in browsers is number of folk (and more importantly, > organizations) stating that they are planning on / would do DANE if > the browsers supported it natively. Of course, even more helpful would > be folk actually publishing TLSA records :-P To this last point about getting more TLSA records published, would = anyone be interested in writing a step-by-step tutorial for how to = publish a TLSA record? Or collaborating on writing one? If we had a page that was a simple set of steps it would be something = we could pass around and encourage people to consider doing. I'm = thinking of something like: Existing certificate: - get a copy of your TLS certificate - generate the appropriate hash using ____ - create a DNS record that looks like "........." - publish record (including DNSSEC signing) and celebrate New certificate - generate a new TLS certificate using ____ - install certificate in your web server (perhaps assume Apache for = the tutorial) - generate the appropriate hash using ____ - create a DNS record that looks like "........." - publish record (including DNSSEC signing) and celebrate Now those steps may not be complete... this is just a first thought... = and given that I've never deployed a TLSA record (but would like to) I = don't know the exact steps.=20 If anyone would be interested in creating something like this, I'd be = glad to publish it on our Deploy360 site (with attribution to you and a = link to a site) or if you publish it on your site I'd be glad to link to = it from Deploy360. Or if you'd like to collaborate with me on writing = something, I'd be glad to help with it. Even if someone could sketch out the basic outline of the commands one = would use for the steps above, I'd be glad to write some text narrative = explaining the commands. Anyone interested? Thanks, Dan --=20 Dan York dyork@lodestar2.com http://www.danyork.me/ skype:danyork Phone: +1-802-735-1624 Twitter - http://twitter.com/danyork --Apple-Mail=_C88D7DEC-D609-4A04-8CBB-C1824B28903C Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii On = Tue, 25 Sep 2012, Warren Kumari wrote:

Something that would be very helpful for getting this = deployed /
implemented in = browsers is number of folk (and more = importantly,
organizations) = stating that they are planning on / would do DANE = if
the browsers supported it = natively. Of course, even more helpful would
be folk actually publishing TLSA records = :-P

To this last point about getting more = TLSA records published, would anyone be interested in writing a = step-by-step tutorial for how to publish a TLSA record?  Or = collaborating on writing one?

If we had a page that = was a simple set of steps it would be something  we could pass = around and encourage people to consider doing.  I'm thinking of = something like:

Existing = certificate:
 - get a copy of your TLS = certificate
 - generate the appropriate hash using = ____
 - create a DNS record that looks like = "........."
 - publish record (including DNSSEC signing) = and celebrate

New = certificate
  - generate a new TLS certificate using = ____
  - install certificate in your web server (perhaps = assume Apache for the tutorial)
  - generate the = appropriate hash using ____
 - create a DNS record = that looks like "........."
 - publish record (including = DNSSEC signing) and celebrate

Now those steps = may not be complete... this is just a first thought... and given that = I've never deployed a TLSA record (but would like to) I don't know the = exact steps. 

If anyone would be = interested in creating something like this, I'd be glad to publish it on = our Deploy360 site (with attribution to you and a link to a site) or if = you publish it on your site I'd be glad to link to it from Deploy360. =    Or if you'd like to collaborate with me on writing = something, I'd be glad to help with it.

Even if = someone could sketch out the basic outline of the commands one would use = for the steps above, I'd be glad to write some text narrative explaining = the commands.

Anyone = interested?

Thanks,
Dan

<= /div>

-- 
Dan York  dyork@lodestar2.com
http://www.danyork.me/  &nb= sp;skype:danyork
Phone: = +1-802-735-1624
Twitter - http://twitter.com/danyork

= --Apple-Mail=_C88D7DEC-D609-4A04-8CBB-C1824B28903C-- From pieter.lexis@os3.nl Wed Sep 26 14:12:06 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59A3421F85EF for ; Wed, 26 Sep 2012 14:12:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yRCJi8pWYNsO for ; Wed, 26 Sep 2012 14:12:05 -0700 (PDT) Received: from mail.serv.os3.nl (mail.serv.os3.nl [IPv6:2001:610:158:960::25]) by ietfa.amsl.com (Postfix) with ESMTP id 6715421F85D5 for ; Wed, 26 Sep 2012 14:12:05 -0700 (PDT) Received: from smtp.os3.nl (smtp.os3.nl [IPv6:2001:610:158:960::119]) by mail.serv.os3.nl (Postfix) with ESMTP id 9BEFE17B5D0; Wed, 26 Sep 2012 23:12:03 +0200 (CEST) Received: from [IPv6:2001:980:5dd1:1:54ed:55ca:7d13:b7ff] (unknown [IPv6:2001:980:5dd1:1:54ed:55ca:7d13:b7ff]) by smtp.os3.nl (Postfix) with ESMTPSA id 4934717B5CF; Wed, 26 Sep 2012 23:12:03 +0200 (CEST) Message-ID: <50636FA2.6050403@os3.nl> Date: Wed, 26 Sep 2012 23:12:02 +0200 From: Pieter Lexis User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120827 Thunderbird/15.0 MIME-Version: 1.0 To: dan-ietf@danyork.org References: <699F0F4D-3E06-44F5-88A4-40C1FC569E98@danyork.org> In-Reply-To: <699F0F4D-3E06-44F5-88A4-40C1FC569E98@danyork.org> X-Enigmail-Version: 1.4.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: dane@ietf.org Subject: Re: [dane] Anyone interested in writing a DANE tutorial? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2012 21:12:06 -0000 Hi Dan, On 09/26/2012 08:27 PM, Dan York wrote: > If we had a page that was a simple set of steps it would be something > we could pass around and encourage people to consider doing. I'm > thinking of something like: > > Existing certificate: > - get a copy of your TLS certificate > - generate the appropriate hash using ____ > - create a DNS record that looks like "........." > - publish record (including DNSSEC signing) and celebrate > > New certificate > - generate a new TLS certificate using ____ > - install certificate in your web server (perhaps assume Apache for > the tutorial) > - generate the appropriate hash using ____ > - create a DNS record that looks like "........." > - publish record (including DNSSEC signing) and celebrate > > Now those steps may not be complete... this is just a first thought... > and given that I've never deployed a TLSA record (but would like to) I > don't know the exact steps. Looks good to me. Appendix A.4 of RFC 6698[0] describes the way to do it (it is similar to DNSSEC key-rollover). I would recommend reading Appendix A in full to understand the implication of certain choices of matching type and selector. As for tooling, I wrote a (proof of concept) tool called 'swede'[2] in January of this year (and updated it when needed). It has been used to create the Examples (Appendix C) in RFC 6698. The code is a bit messy, but it works. I'm currently re-implementing it in a more maintainable fashion (hopefully finished within a few weeks, but you never know). > Even if someone could sketch out the basic outline of the commands one > would use for the steps above, I'd be glad to write some text narrative > explaining the commands. I'd say try: swede and ask me or the mailing list for feedback when you publish your articles. Cheers, Pieter 1 - http://tools.ietf.org/html/rfc6698#appendix-A.4 2 - https://github.com/pieterlexis/swede From paul@cypherpunks.ca Wed Sep 26 15:15:13 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BA3821F84FE for ; Wed, 26 Sep 2012 15:15:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.849 X-Spam-Level: X-Spam-Status: No, score=-2.849 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yK4YGU2twv3X for ; Wed, 26 Sep 2012 15:15:13 -0700 (PDT) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 0E4B721F84FA for ; Wed, 26 Sep 2012 15:15:12 -0700 (PDT) Received: by bofh.nohats.ca (Postfix, from userid 500) id D12DA804BA; Wed, 26 Sep 2012 18:15:10 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C1E7A80447; Wed, 26 Sep 2012 18:15:10 -0400 (EDT) Date: Wed, 26 Sep 2012 18:15:10 -0400 (EDT) From: Paul Wouters X-X-Sender: paul@bofh.nohats.ca To: Dan York In-Reply-To: <699F0F4D-3E06-44F5-88A4-40C1FC569E98@danyork.org> Message-ID: References: <699F0F4D-3E06-44F5-88A4-40C1FC569E98@danyork.org> User-Agent: Alpine 2.02 (LFD 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=ISO-8859-15 Content-Transfer-Encoding: 8BIT Cc: IETF DANE WG list Subject: Re: [dane] Anyone interested in writing a DANE tutorial? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2012 22:15:13 -0000 On Wed, 26 Sep 2012, Dan York wrote: > To this last point about getting more TLSA records published, would anyone be interested in writing a step-by-step tutorial for how > to publish a TLSA record? Or collaborating on writing one? My slidedeck from Linux Security Summit 2012 had that information. I'll also be presenting about this at SecTor and ICANN. > Even if someone could sketch out the basic outline of the commands one would use for the steps above, I'd be glad to write some > text narrative explaining the commands. yum | apt-get install hash-slinger (from http://people.redhat.com/pwouters/hash-slinger ) [paul@bofh]$ tlsa --create ietf.org No certificate specified on the commandline, attempting to retrieve it from the server ietf.org. Attempting to get certificate from 64.170.98.30 Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org _443._tcp.ietf.org. IN TLSA 3 0 1 54f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e Or use -o generic, to get the record in generic format for those nameserves or signers that do not yet support the TLSA RRtype: [paul@bofh]$ tlsa --create -o generic ietf.org No certificate specified on the commandline, attempting to retrieve it from the server ietf.org. Attempting to get certificate from 64.170.98.30 Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org _443._tcp.ietf.org. IN TYPE52 \# 35 03000154f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e Paul From fanf2@hermes.cam.ac.uk Thu Sep 27 02:04:13 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA3E021F84B5 for ; Thu, 27 Sep 2012 02:04:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.096 X-Spam-Level: X-Spam-Status: No, score=-6.096 tagged_above=-999 required=5 tests=[AWL=0.503, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hkh9p2hZly5O for ; Thu, 27 Sep 2012 02:04:12 -0700 (PDT) Received: from ppsw-50.csi.cam.ac.uk (ppsw-50.csi.cam.ac.uk [131.111.8.150]) by ietfa.amsl.com (Postfix) with ESMTP id 2BC5021F84B6 for ; Thu, 27 Sep 2012 02:04:12 -0700 (PDT) X-Cam-AntiVirus: no malware found X-Cam-SpamDetails: not scanned X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/ Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:59541) by ppsw-50.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:25) with esmtpa (EXTERNAL:fanf2) id 1THA0v-0003A2-py (Exim 4.72) (return-path ); Thu, 27 Sep 2012 10:04:09 +0100 Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1THA0u-0008Pj-Px (Exim 4.72) (return-path ); Thu, 27 Sep 2012 10:04:08 +0100 Date: Thu, 27 Sep 2012 10:04:08 +0100 From: Tony Finch X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk To: Dan York In-Reply-To: Message-ID: References: <50609A03.1050507@ogud.com> <57867BCC-8E8C-4F5A-9A83-0A31652CD71F@danyork.org> <2D645BD5-3501-4182-AB5B-035240F464AA@vpnc.org> <19800D41-820B-4256-8C41-0B6854A34AD3@vpnc.org> User-Agent: Alpine 2.00 (LSU 1167 2008-08-23) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="1870869256-2040472814-1348736648=:1469" Sender: Tony Finch Cc: Paul Hoffman , IETF DANE WG list Subject: Re: [dane] Reusing TLSA X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2012 09:04:13 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --1870869256-2040472814-1348736648=:1469 Content-Type: TEXT/PLAIN; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Dan York wrote: > > My comments were reacting largely to Tony's comment about the content of = the TLSA record: > > >=C2=A0TLS is about authenticating peers. S/MIME is about encryption as w= ell as > > verifying signatures.=C2=A0So I would expect TLS records to be more abo= ut> > > digests of certificates (for brevity) whereas S/MIME records to > > contain public keys or entire certs. > > To me it just seemed that there could be app developer confusion if in > the one case the TLSA record is a digest of a certificate and in another > case the TLSA record might be a full certificate. > > Having said that, I've now gone back and re-read RFC 6698 and seen > clearly that this is all covered with the Matching Type field in section > 2.1.3 and so any "DANE implementation" needs to be able to understand > both the digest and the full certificate. > > So consider my comments withdrawn.... and thanks for the replies that > forced me to deepen my understanding of the DANE protocol. :-) I think I agree with Dan. My comments were meant to be thinking out loud rather than objections as such - just trying to enumerate what the differences might be between TLSA and SMIMEA, in usage and semantics if not syntax. Tony. --=20 f.anthony.n.finch http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first= =2E Rough, becoming slight or moderate. Showers, rain at first. Moderate or goo= d, occasionally poor at first. --1870869256-2040472814-1348736648=:1469-- From ondrej.sury@nic.cz Fri Sep 28 00:22:57 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EF2821F8588 for ; Fri, 28 Sep 2012 00:22:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.807 X-Spam-Level: X-Spam-Status: No, score=0.807 tagged_above=-999 required=5 tests=[AWL=-0.093, BAYES_50=0.001, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IHPtVCBxmvgo for ; Fri, 28 Sep 2012 00:22:56 -0700 (PDT) Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) by ietfa.amsl.com (Postfix) with ESMTP id 564EA21F8578 for ; Fri, 28 Sep 2012 00:22:56 -0700 (PDT) Received: from [IPv6:2a00:1028:d800:ae:7101:ff2e:306d:61fa] (unknown [IPv6:2a00:1028:d800:ae:7101:ff2e:306d:61fa]) by mail.nic.cz (Postfix) with ESMTPSA id 66B5813F64C; Fri, 28 Sep 2012 09:22:54 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.cz; s=default; t=1348816974; bh=I7EeROGJITbr9uzFBdabNNxZC+eUgHkyvbYExaTGsYM=; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc: Message-Id:References:To; b=hIJmUdVPBa1oJGreS2STn6k3b6e7iQS4u3u72ee0iOa07J7denNGpmLrAAnt/sCMg 8a8HYo1vMgTX1sty5OG5BY508/kpA0XtlShr5hyAk+uNbjw0JeDSkkSeNGJF3362t3 xJDbhinj54t/N0EP5LZUlzJHWr77EDRPlZLTbI4Y= Content-Type: multipart/signed; boundary="Apple-Mail=_2602AD5B-D958-4FD0-8214-13B0F08DCF46"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= In-Reply-To: <0429D665-35A9-4608-B513-4EB955C36556@bblfish.net> Date: Fri, 28 Sep 2012 09:22:53 +0200 Message-Id: <9DA4662F-DB80-40EC-9D70-EFDE6AAA24EE@nic.cz> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <5061C39E.1070901@bbn.com> <3F073866-ACE9-4A9D-939D-530BABB9B8CF@bblfish.net> <0429D665-35A9-4608-B513-4EB955C36556@bblfish.net> To: Henry Story X-Mailer: Apple Mail (2.1498) X-Virus-Scanned: clamav-milter 0.96.5 at mail X-Virus-Status: Clean Cc: dane@ietf.org Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Sep 2012 07:22:57 -0000 --Apple-Mail=_2602AD5B-D958-4FD0-8214-13B0F08DCF46 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On 25. 9. 2012, at 18:32, Henry Story wrote: > But that is exactly what WebID makes simple: [...snip...] With my chair hat on, I would prefer you to stop promoting unrelated = technology unless you prove it's somehow related to work in this working = group. To say the truth I have seen too many emails in this WG to be = reading about what WebID does and what doesn't, I just don't care = (here). Either make some clear the connection to our charter or please = stop and let us focus on the work which _can_ be done in this WG. O. -- Ond=C5=99ej Sur=C3=BD -- Chief Science Officer ------------------------------------------- CZ.NIC, z.s.p.o. -- Laborato=C5=99e CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:ondrej.sury@nic.cz http://nic.cz/ tel:+420.222745110 fax:+420.222745112 ------------------------------------------- --Apple-Mail=_2602AD5B-D958-4FD0-8214-13B0F08DCF46 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMKTCCBgYw ggTuoAMCAQICAQIwDQYJKoZIhvcNAQEFBQAwga8xCzAJBgNVBAYTAk5MMSAwHgYDVQQKExdUcnVz dGVkIEludHJvZHVjZXIgKFRJKTEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxMzAx BgNVBAMTKlRydXN0ZWQgSW50cm9kdWNlciAoVEkpIFRvcGxldmVsIENBIC0gRzAwMTEnMCUGCSqG SIb3DQEJARYYY2FAdHJ1c3RlZC1pbnRyb2R1Y2VyLm5sMB4XDTA0MTIwNzEwMzYxN1oXDTMwMTIw NjAwMDAwMFowga0xCzAJBgNVBAYTAk5MMSAwHgYDVQQKExdUcnVzdGVkIEludHJvZHVjZXIgKFRJ KTEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxMTAvBgNVBAMTKFRydXN0ZWQgSW50 cm9kdWNlciAoVEkpIENsaWVudCBDQSAtIEcwMDExJzAlBgkqhkiG9w0BCQEWGGNhQHRydXN0ZWQt aW50cm9kdWNlci5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOKQxMR3KDUpfJBz AhY2BPCByKo9SMp/V0RIboLBD6vO0miSYO9FmP3Q07OKPYR5WdlQyrpKqB1zl0SRz2cDjnYkzvDF vK5kvMvlTYeQlHypQlvhkTsYWD4ZZxxEhAYBb1s7cYaIahLw6H/RZz+kyWTOc9TncPBvBWIQ1Ypo S+uQqpopH8s5ebtB/17SbUty5yXiHoaPh/ScdMKqxbyJiL0YRM6SU4YX4HVZ5YGS9aWuiUSiA0YF 8dCR56nErx67wgq8O1GtsSKKOf/ueUxSmrqwgQNlfM9Or5O8kb61s1O2iACHtixoV3ENanylBafU mRYpNo5tSZsElGfntMoGBy8CAwEAAaOCAiswggInMB0GA1UdDgQWBBSeX93lU8ExaSlN1ZaXxfOP h2iHTjCB3AYDVR0jBIHUMIHRgBRdbehwJx/8iwlxnguJECc7MUXvoqGBtaSBsjCBrzELMAkGA1UE BhMCTkwxIDAeBgNVBAoTF1RydXN0ZWQgSW50cm9kdWNlciAoVEkpMSAwHgYDVQQLExdDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eTEzMDEGA1UEAxMqVHJ1c3RlZCBJbnRyb2R1Y2VyIChUSSkgVG9wbGV2 ZWwgQ0EgLSBHMDAxMScwJQYJKoZIhvcNAQkBFhhjYUB0cnVzdGVkLWludHJvZHVjZXIubmyCAQAw DwYDVR0TAQH/BAUwAwEB/zAjBgNVHRIEHDAagRhjYUB0cnVzdGVkLWludHJvZHVjZXIubmwwgasG A1UdHwSBozCBoDBOoEygSoZIaHR0cDovL2NybDEudHJ1c3RlZC1pbnRyb2R1Y2VyLm5sL2NhL3g1 MDkvZzEvZGF0YS9jcmxzL2NybC1yb290LWNhLTEuY3JsME6gTKBKhkhodHRwOi8vY3JsMi50cnVz dGVkLWludHJvZHVjZXIubmwvY2EveDUwOS9nMS9kYXRhL2NybHMvY3JsLXJvb3QtY2EtMS5jcmww IwYDVR0RBBwwGoEYY2FAdHJ1c3RlZC1pbnRyb2R1Y2VyLm5sMAsGA1UdDwQEAwIBBjARBglghkgB hvhCAQEEBAMCAAcwDQYJKoZIhvcNAQEFBQADggEBAI1sC2l8st3ElC74az6gH7tGXSiS7jicpHeI 10A3KY+7OEPT7BAJDpjMXxSvAwU1vBDFfwEAXGj42xAPB6cynOTDn0OiFpYGvi3EZV3khXYkGPLs fxZttUyDKqhXcWYy4nnI3fBxqCgLboJFw6OO/SVj5qQdXMZ7VhyFBWJMQkVOnlt6i3xFkG3O5LMI BDmdL5bZPEe8b6bJkMr+rUYEvorPJmV+CkiewYMaruCbdhwRkpkhXB3qLwB2ppnKxSinAU4f9Rcp p73h8iDVQ9389iliUKomVQqj9NJv2G6SyJdDQdN2vrldLszNpw6t+zIzCjpgQ//kem5BJ1k4YG3L CpAwggYbMIIFA6ADAgECAgIGSDANBgkqhkiG9w0BAQUFADCBrTELMAkGA1UEBhMCTkwxIDAeBgNV BAoTF1RydXN0ZWQgSW50cm9kdWNlciAoVEkpMSAwHgYDVQQLExdDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eTExMC8GA1UEAxMoVHJ1c3RlZCBJbnRyb2R1Y2VyIChUSSkgQ2xpZW50IENBIC0gRzAwMTEn MCUGCSqGSIb3DQEJARYYY2FAdHJ1c3RlZC1pbnRyb2R1Y2VyLm5sMB4XDTEyMDgwMTA3NTEyNloX DTE0MDgwMTA3NTEyNlowejELMAkGA1UEBhMCTkwxGzAZBgNVBAoTElRydXN0ZWQgSW50cm9kdWNl cjEVMBMGA1UECxMMQ1ouTklDLUNTSVJUMRQwEgYDVQQDEwtPbmRyZWogU3VyeTEhMB8GCSqGSIb3 DQEJARYSb25kcmVqLnN1cnlAbmljLmN6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA xlmN+hSg6RxWm1X6QOI3OXHSAqhRzWGb8ismR2+3LGDS640luS8x4VdWo490Ceqz+BZvMhQJwfny 9mb0IejFpx7kBOM7k2rMfOYUXa/pq07ysWEI8bXDcXRBf2ZcG0B/gajLPFA9MADlCWHSf7cNZF6S XnIHwTn5DowxpbF403NqLWFnTM08wTJkFgGB7WZAtE6KoSigztI39NrtKRsnosZoBMNZS/JG1CLt VdZPvkHVuiVQWEGYgswBEMGXoR7jtzVNhHr2F1atoBICJVGWFNA8fHvQRLAcXWJTXhKxb2uSq9Yp kKaZPZ6rrp88qtemvwVnQKE9r3/iPFeTARY7AQIDAQABo4ICdTCCAnEwDAYDVR0TAQH/BAIwADAd BgNVHQ4EFgQUgizwG0IeMZQlCSduLVeM1zDBdUEwgdwGA1UdIwSB1DCB0YAUnl/d5VPBMWkpTdWW l8Xzj4doh06hgbWkgbIwga8xCzAJBgNVBAYTAk5MMSAwHgYDVQQKExdUcnVzdGVkIEludHJvZHVj ZXIgKFRJKTEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxMzAxBgNVBAMTKlRydXN0 ZWQgSW50cm9kdWNlciAoVEkpIFRvcGxldmVsIENBIC0gRzAwMTEnMCUGCSqGSIb3DQEJARYYY2FA dHJ1c3RlZC1pbnRyb2R1Y2VyLm5sggECMCMGA1UdEgQcMBqBGGNhQHRydXN0ZWQtaW50cm9kdWNl ci5ubDAdBgNVHREEFjAUgRJvbmRyZWouc3VyeUBuaWMuY3owCwYDVR0PBAQDAgSwMCcGA1UdJQQg MB4GCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQwEQYJYIZIAYb4QgEBBAQDAgSwMIHVBgNV HR8Egc0wgcowY6BhoF+GXWh0dHA6Ly9jcmwxLnRydXN0ZWQtaW50cm9kdWNlci5ubC9jYS94NTA5 L2cxL2NhLXNzbC1jbGllbnQvZzEvZGF0YS9jcmxzL2NybC1jbGllbnQtY2EtMS0xLmNybDBjoGGg X4ZdaHR0cDovL2NybDIudHJ1c3RlZC1pbnRyb2R1Y2VyLm5sL2NhL3g1MDkvZzEvY2Etc3NsLWNs aWVudC9nMS9kYXRhL2NybHMvY3JsLWNsaWVudC1jYS0xLTEuY3JsMA0GCSqGSIb3DQEBBQUAA4IB AQAZP/dznHW3BWajBVQ3fTaDsx/3csUE6+jX83r1dgzYjUOmapOzXQVZ2/VTwZTzJSsD7rDgzUN6 sk6YWmUJOwqoEcPasYG9zt9e+bpwc/PURjSowb+WjEE2e4L47x3mPgL0dtlGj4guhRaj247K9N1f grvlyX0h/IL9JO4CN0I5lAuOaZ3Yfl0euHpHLlXZ9czxkc6dCbtGSZwr3RrltNmMjhp0O3D51fDd D6mG1vvOEV9Kj1JfSE2cQI5j3GpMlNleZA6noZ93drs2G9/D7WP4uVLCtJfGmG6PJsy4+qN46qXu ekJR/8WH1aNcH0Ya+JsYrwIFPwL4Cr+JXrbFqUOFMYIDzzCCA8sCAQEwgbQwga0xCzAJBgNVBAYT Ak5MMSAwHgYDVQQKExdUcnVzdGVkIEludHJvZHVjZXIgKFRJKTEgMB4GA1UECxMXQ2VydGlmaWNh dGlvbiBBdXRob3JpdHkxMTAvBgNVBAMTKFRydXN0ZWQgSW50cm9kdWNlciAoVEkpIENsaWVudCBD QSAtIEcwMDExJzAlBgkqhkiG9w0BCQEWGGNhQHRydXN0ZWQtaW50cm9kdWNlci5ubAICBkgwCQYF Kw4DAhoFAKCCAe8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIw OTI4MDcyMjU0WjAjBgkqhkiG9w0BCQQxFgQUryJ4EraJFdgJZaeQdSFr/T6kqwMwgcUGCSsGAQQB gjcQBDGBtzCBtDCBrTELMAkGA1UEBhMCTkwxIDAeBgNVBAoTF1RydXN0ZWQgSW50cm9kdWNlciAo VEkpMSAwHgYDVQQLExdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTExMC8GA1UEAxMoVHJ1c3RlZCBJ bnRyb2R1Y2VyIChUSSkgQ2xpZW50IENBIC0gRzAwMTEnMCUGCSqGSIb3DQEJARYYY2FAdHJ1c3Rl ZC1pbnRyb2R1Y2VyLm5sAgIGSDCBxwYLKoZIhvcNAQkQAgsxgbeggbQwga0xCzAJBgNVBAYTAk5M MSAwHgYDVQQKExdUcnVzdGVkIEludHJvZHVjZXIgKFRJKTEgMB4GA1UECxMXQ2VydGlmaWNhdGlv biBBdXRob3JpdHkxMTAvBgNVBAMTKFRydXN0ZWQgSW50cm9kdWNlciAoVEkpIENsaWVudCBDQSAt IEcwMDExJzAlBgkqhkiG9w0BCQEWGGNhQHRydXN0ZWQtaW50cm9kdWNlci5ubAICBkgwDQYJKoZI hvcNAQEBBQAEggEARhG2em4PU7WCOvazgrq1kObOAqb7zb+rkLKGy9p+wQ7yuVJmfq666uU8Jm4H bXJtczqK1EdGllx0MbQmqv8W+ai0sR80AXwYkGlC8jUfhajHiuJ/udiCbOGD1XyOx4qGVVtym8Sk kpEiiWnKDZAnZInVKj6/WIU4eY4+pBOSgUVDsLfUj4emMwoPQ8NaG7pUpr431pZEQIJGpCrkbEwP 3z4mmivMvpjI0IKzdSmB3jUk7BAVCyUN+EmbJx1/66/zUH/fdmizZlqXz7MWFcN3DoPp+O15MGdd UrILtY3DV5Lf2Pl5Y8eVr4gVAPUN33iPUro6J+/rqcAH/ETHLboBNwAAAAAAAA== --Apple-Mail=_2602AD5B-D958-4FD0-8214-13B0F08DCF46-- From henry.story@bblfish.net Fri Sep 28 01:34:25 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ACEA21F852E for ; Fri, 28 Sep 2012 01:34:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.22 X-Spam-Level: X-Spam-Status: No, score=-2.22 tagged_above=-999 required=5 tests=[AWL=-1.379, BAYES_20=-0.74, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5+u66dI5kEBx for ; Fri, 28 Sep 2012 01:34:24 -0700 (PDT) Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by ietfa.amsl.com (Postfix) with ESMTP id E9F2221F84E4 for ; Fri, 28 Sep 2012 01:34:23 -0700 (PDT) Received: by wibhr7 with SMTP id hr7so2457019wib.13 for ; Fri, 28 Sep 2012 01:34:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=uX23vciz5NpiubQpi7DcIUTj76TsI/FE34aaiMj7GTE=; b=hei9n9to/3BxgrjclIK2ny1M0XI9pV200R3ygFcdilTwJqjTvPNukt9eoXMI1gR9AP Nz2d/e+xaGYLT+Q1YG3UO1XE3N3Ndb0RhM//lrmD0ebRE2J2xmI/Sb4OEd2PbI488N3E XCWfLXi1Ox/QcmGlWux4J6RzBngXdUL1AR2lie1h8OIEGAStGAs6Vit2vHbPsLLzIDw8 o5/oj7hjNbDIzY3vleRS8PhYXnGApZSsRzNmWyyIJyy7+ifNx8xncJKH9vzYnoiHiMcv 2ebDolMdsuI79Aa8WexNxWmBegx7gSMqNQ3gyHzqZvSdMaM6ExO9Vj5NHn2rlEu7nPtp axgw== Received: by 10.216.133.91 with SMTP id p69mr2839884wei.111.1348821262611; Fri, 28 Sep 2012 01:34:22 -0700 (PDT) Received: from bblfish.home (AAubervilliers-651-1-165-173.w81-249.abo.wanadoo.fr. [81.249.236.173]) by mx.google.com with ESMTPS id cl8sm35549520wib.10.2012.09.28.01.34.16 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 28 Sep 2012 01:34:20 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_D9C68EE0-6EEB-4548-9C6F-3D1F84A2F0BD"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: Henry Story In-Reply-To: <9DA4662F-DB80-40EC-9D70-EFDE6AAA24EE@nic.cz> Date: Fri, 28 Sep 2012 10:34:14 +0200 Message-Id: <7F6F78CD-9CB0-4D9B-BACF-9AF1C45D81C3@bblfish.net> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <5061C39E.1070901@bbn.com> <3F073866-ACE9-4A9D-939D-530BABB9B8CF@bblfish.net> <0429D665-35A9-4608-B513-4EB955C36556@bblfish.net> <9DA4662F-DB80-40EC-9D70-EFDE6AAA24EE@nic.cz> To: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= X-Mailer: Apple Mail (2.1498) X-Gm-Message-State: ALoCoQncomvgQpQ0W8BhjbxLS/1vx51WpoL4G34yLqa+gOVuSB1Wde6c22S8QerPQOU8J46YUrOO Cc: dane@ietf.org Subject: Re: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Sep 2012 08:34:25 -0000 --Apple-Mail=_D9C68EE0-6EEB-4548-9C6F-3D1F84A2F0BD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On 28 Sep 2012, at 09:22, Ond=C5=99ej Sur=C3=BD = wrote: >=20 > On 25. 9. 2012, at 18:32, Henry Story wrote: >> But that is exactly what WebID makes simple: > [...snip...] >=20 > With my chair hat on, I would prefer you to stop promoting unrelated = technology unless you prove it's somehow related to work in this working = group. To say the truth I have seen too many emails in this WG to be = reading about what WebID does and what doesn't, I just don't care = (here). Either make some clear the connection to our charter or please = stop and let us focus on the work which _can_ be done in this WG. ??? I don't think I have been posting anything here for the past few days. The discussion has moved on the the WebID Community group in the mean = time: http://lists.w3.org/Archives/Public/public-webid/2012Sep/thread.html Anyway, I am very keen on DANE being adopted widely. It is a very = important standard. The work we are doing would be hugely enhanced by it. As I = said it is likely that we work done here to use DANE for Mime could be = combined=20 with WebID to go even further. Sincerely, Henry Story >=20 > O. > -- > Ond=C5=99ej Sur=C3=BD -- Chief Science Officer > ------------------------------------------- > CZ.NIC, z.s.p.o. -- Laborato=C5=99e CZ.NIC > Americka 23, 120 00 Praha 2, Czech Republic > mailto:ondrej.sury@nic.cz http://nic.cz/ > tel:+420.222745110 fax:+420.222745112 > ------------------------------------------- >=20 Social Web Architect http://bblfish.net/ --Apple-Mail=_D9C68EE0-6EEB-4548-9C6F-3D1F84A2F0BD Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIPDTCCByMw ggYLoAMCAQICAwTQYzANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0 YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx ODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENB MB4XDTEyMDgyOTAxNDU1NloXDTEzMDgzMDA5MjM0MFowZTEZMBcGA1UEDRMQazQ2eDlvOXJDRE5m VzMwYzEgMB4GA1UEAwwXaGVucnkuc3RvcnlAYmJsZmlzaC5uZXQxJjAkBgkqhkiG9w0BCQEWF2hl bnJ5LnN0b3J5QGJibGZpc2gubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArHXp EmiifOSpudkJn1vAnFdZsuaLuYYLbdWL47o1rKD/kg8/RJUmTIM2ara4e/MOxR16mu2fyAca3H1U oIXNNXDbYQDu2PkfLoNSM5JGAoYbfB0nXBK//ZecidVMZ8eExd02/vFzo5vj9kQNaAPSYirid5xe 1cV9Y1RFjlEozuYAUhU8zi3taf22JM45ii2YrCEgVjDdez8yio0QoJeKEEL3JhL4tqpkbfIOHmdi HYx00S6YcCogDfxXc3zOJ3jcIj/F61eXG1qWX/lq9RAyoBjYHLWE2iHQPwdzum03ubcvOTlohqOR +/cVzvx10l6bJ46KitfbydXMh8HoY7QcmwIDAQABo4IDsjCCA64wCQYDVR0TBAIwADALBgNVHQ8E BAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBQRbT9qwRblII9x nAN2FlEMUD1LQzAfBgNVHSMEGDAWgBRTcu2SnODaywFcfH6WNU7y1LhRgjAiBgNVHREEGzAZgRdo ZW5yeS5zdG9yeUBiYmxmaXNoLm5ldDCCAiEGA1UdIASCAhgwggIUMIICEAYLKwYBBAGBtTcBAgIw ggH/MC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMDQGCCsG AQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9pbnRlcm1lZGlhdGUucGRmMIH3BggrBgEF BQcCAjCB6jAnFiBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTADAgEBGoG+VGhpcyBj ZXJ0aWZpY2F0ZSB3YXMgaXNzdWVkIGFjY29yZGluZyB0byB0aGUgQ2xhc3MgMSBWYWxpZGF0aW9u IHJlcXVpcmVtZW50cyBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5LCByZWxpYW5jZSBvbmx5IGZv ciB0aGUgaW50ZW5kZWQgcHVycG9zZSBpbiBjb21wbGlhbmNlIG9mIHRoZSByZWx5aW5nIHBhcnR5 IG9ibGlnYXRpb25zLjCBnAYIKwYBBQUHAgIwgY8wJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBB dXRob3JpdHkwAwIBAhpkTGlhYmlsaXR5IGFuZCB3YXJyYW50aWVzIGFyZSBsaW1pdGVkISBTZWUg c2VjdGlvbiAiTGVnYWwgYW5kIExpbWl0YXRpb25zIiBvZiB0aGUgU3RhcnRDb20gQ0EgcG9saWN5 LjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1MS1jcmwuY3Js MIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20v c3ViL2NsYXNzMS9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29t L2NlcnRzL3N1Yi5jbGFzczEuY2xpZW50LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0 YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBALj/A19bRLmI7sMf0lVRrdN23NuRC7/UFSLZ DfcxrR1wOtQgAbrFlFLY+Otn6UWYIiWQpv2v5Ploqw9rMam5W8seC3TUt83StohXCmZ0EDmK87If B6kpd7FwJ0RFGCxn22hPU2kuhp2mbjJzCTrd3jWsXw63MXDUzHuucWGX2mY1Ji+zRECh568N7iWA 5jn9kWT+h7o7ywKbHc4qAnksghLYAnTfoCx1IPkT4/8A5hf38imhf9NcNGibrvt/e49sacf6GjRH Ot/lOCrEX2fh2YvTB5sdEKM5tjKCKNpFSqnRCKhsWZ9N9ZP7mRZfCOBjAMsm3CW2ygwlWXc54lgf p1UwggfiMIIFyqADAgECAgENMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQK Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu aW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQy MTAxNTRaFw0xMjEwMjIyMTAxNTRaMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20g THRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UE AxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHCYPMzi3YGrEppC4Tq5a+ijKDjKaIQZZVR63UbxIP 6uq/I0fhCu+cQhoUfE6ERKKnu8zPf1Jwuk0tsvVCk6U9b+0UjM0dLep3ZdE1gblK/1FwYT5Pipsu 2yOMluLqwvsuz9/9f1+1PKHG/FaR/wpbfuIqu54qzHDYeqiUfsYzoVflR80DAC7hmJ+SmZnNTWyU GHJbBpA8Q89lGxahNvuryGaC/o2/ceD2uYDX9U8Eg5DpIpGQdcbQeGarV04WgAUjjXX5r/2dabmt xWMZwhZna//jdiSyrrSMTGKkDiXm6/3/4ebfeZuCYKzN2P8O2F/Xe2AC/Y7zeEsnR7FOp+uXAgMB AAGjggNbMIIDVzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBpjAdBgNVHQ4EFgQUU3Ltkpzg2ssB XHx+ljVO8tS4UYIwgagGA1UdIwSBoDCBnYAUTgvvGqRAW6UXaYcwyjRoQ9BBrvKhgYGkfzB9MQsw CQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBB dXRob3JpdHmCAQEwCQYDVR0SBAIwADA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2Vy dC5zdGFydGNvbS5vcmcvc2ZzY2EtY3JsLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j b20vc2ZzY2EuY3JsMIIBXQYDVR0gBIIBVDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYIKwYB BQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilo dHRwOi8vY2VydC5zdGFydGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMw JxYgU3RhcnQgQ29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlhYmls aXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29t IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL2NlcnQu c3RhcnRjb20ub3JnL3BvbGljeS5wZGYwEQYJYIZIAYb4QgEBBAQDAgAHMFAGCWCGSAGG+EIBDQRD FkFTdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIEZyZWUgU1NMIEVtYWlsIENl cnRpZmljYXRlczANBgkqhkiG9w0BAQUFAAOCAgEAqprh4FuMzh0b/B3GLDAgoLeTJv3xArbNESi/ Kf/HMM//gf8FzwUUNOCglH6dfYuLQQ/dTtOyMb4JoiL3T7xiVKEAOmQ+t+b/xLOMa0m18zoRqW4k 6Glyoyvc7LMrdpgYk/lEh5nq8tPd9BoNmwiiheXphIVH/QelTgUkNzTC7IVpmYVsKuNOnxE1jJFZ NNfqZZK/5Oto7C6PfOut11KmBQSLZarAz0b/mjghdBsYfHuhdO8vrOvD0g5g7dA4pkOAU2Ed4pSC owBSItyD/5aFwZ75ji6Yq7GCG3BpiyAP9st8h+inc0L+7kmrAMJaLMAmu6GZs5Xgsbzn0wUJvbD9 h5jnnMM9UaZDcxl2uLB04quGUWM6NiKGabbxQc680PYbeQrQu+e6J4uqNAxzoa5RxkBA5a/3qlbg F9uJBekCqJswx5vQ9khJrs8UTMaIFzbEC5VGQziQH3/6KJ4DUP85OJEnCx/quShWA6w318LDnba3 M6a5V+KoNLhsVi/TSxf90UbBqwdRR/cOwuGkNJh16NvvhIqO26osMg64CbZsDVrEDr7uSMV40ieB JTo49Iyt77ECOhz/pyhowa2EUP6aKav+L/wXzAPB3LNqzujGR0K1pbyFWKvyYmdungJtySWUMw+R 5DqpA2bFIOE56pfWPLHZxOL+8+r79PLFX+y2V6ExggNvMIIDawIBATCBlDCBjDELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRp ZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1l ZGlhdGUgQ2xpZW50IENBAgME0GMwCQYFKw4DAhoFAKCCAa8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3 DQEHATAcBgkqhkiG9w0BCQUxDxcNMTIwOTI4MDgzNDE0WjAjBgkqhkiG9w0BCQQxFgQUjAgoCVks KFz892wo2EnnOlCi/PkwgaUGCSsGAQQBgjcQBDGBlzCBlDCBjDELMAkGA1UEBhMCSUwxFjAUBgNV BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp ZW50IENBAgME0GMwgacGCyqGSIb3DQEJEAILMYGXoIGUMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UE ChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2ln bmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMSBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGll bnQgQ0ECAwTQYzANBgkqhkiG9w0BAQEFAASCAQA3ibfOsDch2gYLQLsRA0e5yLbG0wdMM80M4dyR U+TnyOVdVYKzdg3e3OXU3cIrzocjS0E7TEsNj8yanopdVtmLcdD0Yz0sUolfubBSC98Y44EsbgTy AfoxWwZ2FQxFbSQkoXffM3lhXyraGHhAQK+Hxu+9ep8TXn5d9k96vMUnKKridqrqQnn3BkizELZb GTqXsP67nCC89d3rhivyDaeobGzzjG0G22HDmZoiD/FyheuvCQUR07t6Yy9FeSnImpk+hN0Rx44N 5kHiLo4Ieh8w1fjjjk44msLtA6UV/rfL6ARYr7EFFePXJmWyXisFL3Tx0nDI35tZlixpc1HKcALP AAAAAAAA --Apple-Mail=_D9C68EE0-6EEB-4548-9C6F-3D1F84A2F0BD-- From henry.story@bblfish.net Fri Sep 28 03:06:06 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 193A421F8570 for ; Fri, 28 Sep 2012 03:06:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.011 X-Spam-Level: X-Spam-Status: No, score=-3.011 tagged_above=-999 required=5 tests=[AWL=-0.312, BAYES_00=-2.599, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fUJfV+V1VuqX for ; Fri, 28 Sep 2012 03:06:04 -0700 (PDT) Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by ietfa.amsl.com (Postfix) with ESMTP id 98E2621F8546 for ; Fri, 28 Sep 2012 03:06:00 -0700 (PDT) Received: by wibhr7 with SMTP id hr7so2569054wib.13 for ; Fri, 28 Sep 2012 03:05:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=EXYpekDbzY/NNcb3jAz8pHIhISpn8JIakwS1fqYwKjo=; b=K5tFFSwpKk5dSzOnO6vYeY6jbpBrBSanBXWzfw2TFcGsG3Oo7MQRFMfKZkwXH3L9/2 4LdTypLO5e7shPs+Ej8p4mr3hqn+A06aIRo3VrVy8Pb5XI4Yad6jIkNsVGTYRVBx2ofv LF01t+YAWG/f07T1fwPX7sDCofxnxGCMc63NcBLpz+iPQN8x50jqexkeTJBZPUN6Eekd Fg4tNAMWZg6M787TSygmaCseHmq63Mz/5mLqkQX4V71YpltaWQhfw21KirIBujIviCET 8B1WYWJLG39dvC8VdjlVKBI17WGHcjZRDdUfLv+Yn3TvFgIuf0ryXtQHm6PntfQt3NGn m3cA== Received: by 10.180.97.33 with SMTP id dx1mr2839832wib.18.1348826759586; Fri, 28 Sep 2012 03:05:59 -0700 (PDT) Received: from bblfish.home (AAubervilliers-651-1-165-173.w81-249.abo.wanadoo.fr. [81.249.236.173]) by mx.google.com with ESMTPS id m14sm29051283wie.8.2012.09.28.03.05.53 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 28 Sep 2012 03:05:54 -0700 (PDT) Content-Type: multipart/signed; boundary="Apple-Mail=_46C95714-FD3E-4B4B-9F28-FE0CB48E146F"; protocol="application/pkcs7-signature"; micalg=sha1 Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: Henry Story In-Reply-To: <7F6F78CD-9CB0-4D9B-BACF-9AF1C45D81C3@bblfish.net> Date: Fri, 28 Sep 2012 12:05:51 +0200 Message-Id: <2BC6D443-047B-4371-9C65-4EB8E98A8058@bblfish.net> References: <357AB2FD-DF7E-49EC-B3D6-D0F6BC20A79F@kumari.net> <1975D6BE-FC50-4F50-A7AF-9AF976ECDD4E@bblfish.net> <50619B61.3060206@openlinksw.com> <4C6DF6FB-434A-4893-A40A-3F013E012E30@bblfish.net> <35840592-D4C8-4A30-AA1F-18B64D5A2069@vpnc.org> <5061C39E.1070901@bbn.com> <3F073866-ACE9-4A9D-939D-530BABB9B8CF@bblfish.net> <0429D665-35A9-4608-B513-4EB955C36556@bblfish.net> <9DA4662F-DB80-40EC-9D70-EFDE6AAA24EE@nic.cz> <7F6F78CD-9CB0-4D9B-BACF-9AF1C45D81C3@bblfish.net> To: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= X-Mailer: Apple Mail (2.1498) X-Gm-Message-State: ALoCoQkzxmyUS1Ru5uJxwbGONZk8E7rIv3Oy/XWInGFNXzqReVzKUEPAYzGdgohMTQCvcc94ZOiF Cc: "public-webid@w3.org" , "dane@ietf.org WG list" Subject: Re: [dane] WebID & Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Sep 2012 10:06:06 -0000 --Apple-Mail=_46C95714-FD3E-4B4B-9F28-FE0CB48E146F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Just a last note, relevant to draf-hoffman-dane-smime-04 [1] and how it = could work with WebID. I think this is on topic for the IETF group: After all this = is a=20 "Call for adoption", and I am willing to adopt it. Here is how I came to = that conclusion. I have worked out how to get my mail signed with my WebID certificate - it was pretty easy when I was explained how to do it in Apple Mail. I went to keychain, and selected my certificate ( created using=20 https://my-profile.eu/ ), right clicked on it and selected "New Identity = Preference". Those of you that have a client that shows the certificate - if the ietf = passes that information on - should see that the mail was correctly signed but that your client = was not able to verify the message signature: Apple mail does not know the = certificate=20 authority webid.fcns.eu, and why should it? Apple Mail has a yellow tab = that says: "Unable to verify message signature". I can then choose to accept that = certificate as representing me. It would therefore be easy to write a plugin for Mail to do the = following whenever a mail=20 is signed by an unknown CA, but has a WebID in the SAN field: - do an HTTP GET on the URL - verify that the WebID listed in the profile document declares the = public=20 key of the user as one of the user's public keys ( as specified by the webid spec https://webid.info/spec/ ) That would allow it then to use personal information listed in the WebID = profile to fill in my address book info, including for example a picture which = it could then show in the e-mail reader for mnemonic purposes [2].=20 Still that leaves an open problem that the IETF spec under discussion = [1] will=20 help with. WebID by itself could be used to check the social network of = people I=20 know to see if they refer to this WebID. But it would not help for = knowing if the e-mail was indeed really mine. The e-mail client could use WebFinger = [3] (another IETF spec) to go from the e-mail to the WebID. That would be = one method of verification. But WebFinger has the problem I think for the moment = that it does not necessarily go through https to do the verification, and so = could be open to a man in the middle attack. So the draft-spec in question could be very useful by specifying in = DNSSEC a=20 signing key for certificates that guarantee that it was one the e-mail = service stands behind. Ie: it would have to be a guarantee that any certificate = signed with that key is one that only that user has access to.=20 Still. This leaves the problem that the e-mail address itself would need = to appear in the certificate too. (which mine does not have at present! = Oops!) So it does indeed look like these two protocols are complimentary and = can work with each other - indeed may need each other.=20 Given that what could WebID provide in addition to = draft-hoffman-dane-smime? I think the following: 1. A way to easily verify that they certificate is still valid. If I were to loose my certificate, or think it had been copied,=20 I could just go to my profile and delete the public key associated = with that certificate from the profile. 2. As stated earlier it can be a way to add information flexibly to the certificate - a link to my social network, to my photos, to my bog, which would not require one to change the certificate each time one = changed that information: the webid places information on the web, instead of = placing it in a certificate. Good. Given that this is a call for adoption, I would be willing to = adopt this, and even implement this in the social network I am building. That is if = I have understood the intent of draft-hoffman-dane-smime correctly. Sincerely, Henry Story [1] http://tools.ietf.org/html/draft-hoffman-dane-smime-04 [2] http://bblfish.net/blog/page9.html#2005/08/26/01-50-23-870 [3] http://tools.ietf.org/html/draft-jones-appsawg-webfinger-06 =20 On 28 Sep 2012, at 10:34, Henry Story wrote: >=20 > On 28 Sep 2012, at 09:22, Ond=C5=99ej Sur=C3=BD = wrote: >=20 >>=20 >> On 25. 9. 2012, at 18:32, Henry Story = wrote: >>> But that is exactly what WebID makes simple: >> [...snip...] >>=20 >> With my chair hat on, I would prefer you to stop promoting unrelated = technology unless you prove it's somehow related to work in this working = group. To say the truth I have seen too many emails in this WG to be = reading about what WebID does and what doesn't, I just don't care = (here). Either make some clear the connection to our charter or please = stop and let us focus on the work which _can_ be done in this WG. >=20 > ??? >=20 > I don't think I have been posting anything here for the past few days. > The discussion has moved on the the WebID Community group in the mean = time: >=20 > http://lists.w3.org/Archives/Public/public-webid/2012Sep/thread.html >=20 > Anyway, I am very keen on DANE being adopted widely. It is a very = important > standard. The work we are doing would be hugely enhanced by it. As I = said > it is likely that we work done here to use DANE for Mime could be = combined=20 > with WebID to go even further. >=20 > Sincerely, >=20 > Henry Story >=20 >>=20 >> O. >> -- >> Ond=C5=99ej Sur=C3=BD -- Chief Science Officer >> ------------------------------------------- >> CZ.NIC, z.s.p.o. -- Laborato=C5=99e CZ.NIC >> Americka 23, 120 00 Praha 2, Czech Republic >> mailto:ondrej.sury@nic.cz http://nic.cz/ >> tel:+420.222745110 fax:+420.222745112 >> ------------------------------------------- >>=20 >=20 > Social Web Architect > http://bblfish.net/ >=20 Social Web Architect http://bblfish.net/ --Apple-Mail=_46C95714-FD3E-4B4B-9F28-FE0CB48E146F Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIDzDCCA8gw ggMxoAMCAQICCQD1irLRdgYUijANBgkqhkiG9w0BAQUFADBtMQswCQYDVQQGEwJGUjEQMA4GA1UE CBMHRXNzb25uZTEWMBQGA1UEChMNd2ViaWQuZmNucy5ldTEWMBQGA1UEAxMNd2ViaWQuZmNucy5l dTEcMBoGCSqGSIb3DQEJARYNd2ViaWRAZmNucy5ldTAeFw0xMjAzMjYwOTQyMDdaFw0xMzAzMjYw OTQyMDdaMIGOMQswCQYDVQQGEwJDWTETMBEGA1UECBMKQ3liZXJzcGFjZTEOMAwGA1UEChMFV2Vi SUQxGTAXBgNVBAsTEGJibGZpc2ggcmVzZWFyY2gxFzAVBgNVBAMTDmJibGZpc2ggKGNhcmQpMSYw JAYJKoZIhvcNAQkBFhdoZW5yeS5zdG9yeUBiYmxmaXNoLm5ldDCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBALonSISLPX7sFzHYTOk7sjESycYemPQ5i3bBilNw0XQ/Tq+7nlKlxDy7Wrtn ILuQ0dVg8RP9VCBBaBDEja/9zTiGH8Ts3n4tE1TaN3NmdlZiKilak4ijJhKG9ZY8A8dQiSnWhQiB LK3UqZ/4MqOxES69p5/CdqlceIWsJrHKJN4zDH3bnd+SLL3ZneH/4x3+GL/jTTipmZxBRTDh3I6s 7JX9H/NMVNQJo9xP589SvQZoKkRZwaU4H7s3NMjg5pHzoDIZZGT3D6eqZkf4SPwoWHopIZqEwTD1 D5C/UEoOSQdFYK65pJQp3iSIu8dgQXaig85L8unY5HGYk+ReCUOtb6kCAwEAAaOByTCBxjAJBgNV HRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV HQ4EFgQUgaRJrK6IlvZCQLHZeY2D5ktUFuQwHwYDVR0jBBgwFoAUK9/vv3kTc8vk1DWlC+wYLGPk 0vAwSwYDVR0RBEQwQoEXaGVucnkuc3RvcnlAYmJsZmlzaC5uZXSGJ2h0dHA6Ly9iYmxmaXNoLm5l dC9wZW9wbGUvaGVucnkvY2FyZCNtZTANBgkqhkiG9w0BAQUFAAOBgQAyBBKAY+TjO+LG0ZLyPFCn ohPH8oeOn2gVxAhUKtAY+WFhT+05p7M6tdZViVxUvawS6V8llfLsYbh7+0ZEdWHUiwzcIciPyvAu VWmjuNTvITzgAWTsvPvPHQQfj3XDt+Otz1kJ9MkIV2/EzIcmJxqy/X26z6ouM2VFsBF1+rU6FTGC AxwwggMYAgEBMHowbTELMAkGA1UEBhMCRlIxEDAOBgNVBAgTB0Vzc29ubmUxFjAUBgNVBAoTDXdl YmlkLmZjbnMuZXUxFjAUBgNVBAMTDXdlYmlkLmZjbnMuZXUxHDAaBgkqhkiG9w0BCQEWDXdlYmlk QGZjbnMuZXUCCQD1irLRdgYUijAJBgUrDgMCGgUAoIIBdzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN AQcBMBwGCSqGSIb3DQEJBTEPFw0xMjA5MjgxMDA1NTJaMCMGCSqGSIb3DQEJBDEWBBQR071JwQMj Zmwx4zvB5QfXL0uMgjCBiQYJKwYBBAGCNxAEMXwwejBtMQswCQYDVQQGEwJGUjEQMA4GA1UECBMH RXNzb25uZTEWMBQGA1UEChMNd2ViaWQuZmNucy5ldTEWMBQGA1UEAxMNd2ViaWQuZmNucy5ldTEc MBoGCSqGSIb3DQEJARYNd2ViaWRAZmNucy5ldQIJAPWKstF2BhSKMIGLBgsqhkiG9w0BCRACCzF8 oHowbTELMAkGA1UEBhMCRlIxEDAOBgNVBAgTB0Vzc29ubmUxFjAUBgNVBAoTDXdlYmlkLmZjbnMu ZXUxFjAUBgNVBAMTDXdlYmlkLmZjbnMuZXUxHDAaBgkqhkiG9w0BCQEWDXdlYmlkQGZjbnMuZXUC CQD1irLRdgYUijANBgkqhkiG9w0BAQEFAASCAQCYiLAns5ZNzpC5LUljz8AvYgrac3Q0o/DOUatl LFc7SijBzH826hBKv2r+QO73wLxLK8+NQF1P7kUOvKuUVG0RI5RN160fkneDxtlnywcFkZoSmuds F6wiWo8i/cpILsDLlOwG3J+bhsBSgcQL7/NGJlFNAx5Qt57ifUhIyd2ziUus/U/u8PiCCXkZPUNZ tAXghk4L9eHOvMAv7YzmP9BYcisUSSrGJoaeyPAQRqw4Myd8yFwFeL+z6dmkelSGt1m3IMZoGjGM LH+u03WD+rmw8J9oCFyiSMOEG28XA0J4NvJWOp5QzainjCwHADW5bk98JkB0nhrDUO3vWDsqXbo+ AAAAAAAA --Apple-Mail=_46C95714-FD3E-4B4B-9F28-FE0CB48E146F-- From dan-ietf@danyork.org Fri Sep 28 09:43:45 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5B2F21F8528 for ; Fri, 28 Sep 2012 09:43:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.998 X-Spam-Level: X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BsdvnniOpzGL for ; Fri, 28 Sep 2012 09:43:45 -0700 (PDT) Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id D18EC21F8489 for ; Fri, 28 Sep 2012 09:43:44 -0700 (PDT) Received: by mail-qa0-f44.google.com with SMTP id b10so31618qad.10 for ; Fri, 28 Sep 2012 09:43:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=22YWZR8V8Hb2os2+Qle14uUCqXzg+mh+1r5g6yNEK8w=; b=WOziz25/CPoBM926dfjLW9ZdDB1iidZ9kLAyj0llcU79t0Uf6LiKOZhEU2CRDFCqCA N2VLlawHegcGpdRyI6AXzTPT7q7XuhCBMTelnf3KvPEYNwyDBT+DtXaVYTFBYqtCMbT4 9Vi+JJyk6pBG1L3ZvxZCqfoHqef086QZakTzrfxdegXPVg4wFDJQ/oB2Gkltv4hsWCyl J+4AHFZSiLL+HAS97cdHqngyfcX6pbIK+25SR0cNORNOw/8nRe94QSuY0apVsl1XlzID IjXDxSB2zw4T/TKMfR9et2xFdMaD/HTDhBeeuGNl1oPn1a2PBJEVTQz4cZ6uM3RgimnP 8bLQ== Received: by 10.224.187.146 with SMTP id cw18mr18315804qab.35.1348850624199; Fri, 28 Sep 2012 09:43:44 -0700 (PDT) Received: from ?IPv6:2001:470:1f07:309:e835:9054:6823:b7da? ([2001:470:1f07:309:e835:9054:6823:b7da]) by mx.google.com with ESMTPS id et6sm13156351qab.8.2012.09.28.09.43.43 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 28 Sep 2012 09:43:43 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: multipart/alternative; boundary="Apple-Mail=_01E56D2D-5884-4254-995C-B05DCA64073B" From: Dan York In-Reply-To: <50636FA2.6050403@os3.nl> Date: Fri, 28 Sep 2012 12:43:41 -0400 Message-Id: References: <699F0F4D-3E06-44F5-88A4-40C1FC569E98@danyork.org> <50636FA2.6050403@os3.nl> To: Pieter Lexis X-Mailer: Apple Mail (2.1257) X-Gm-Message-State: ALoCoQlrOSfklBzavG99owt+0tKvZN3ixdEVVUISfxJ3kw7SDNjY53kTdScxhLLMK/9xMn+EWuCt Cc: dane@ietf.org Subject: Re: [dane] Anyone interested in writing a DANE tutorial? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Sep 2012 16:43:45 -0000 --Apple-Mail=_01E56D2D-5884-4254-995C-B05DCA64073B Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 Pieter, On Sep 26, 2012, at 5:12 PM, Pieter Lexis wrote: > Looks good to me. Appendix A.4 of RFC 6698[0] describes the way to do = it > (it is similar to DNSSEC key-rollover). I would recommend reading > Appendix A in full to understand the implication of certain choices of > matching type and selector. Appendix A is great... but I'm looking to create something that is = *extremely* simple and easy. I think it really needs to be tool-based so that = people just have to run some scripts. > As for tooling, I wrote a (proof of concept) tool called 'swede'[2] in > January of this year (and updated it when needed). It has been used to > create the Examples (Appendix C) in RFC 6698. The code is a bit messy, > but it works. I'm currently re-implementing it in a more maintainable > fashion (hopefully finished within a few weeks, but you never know). Very cool! I'm now watching your repo at: > 2 - https://github.com/pieterlexis/swede and will check out the code and try it out. I also noticed recently = that you added TLSA support into dnspython although it wasn't = immediately clear to me how to use that support. (dnspython could use = some examples related to dnssec in general... at some point I may go and = write some if no else does that first.) Thanks for the suggestions and the link to swede. Dan =20 --=20 Dan York dyork@lodestar2.com http://www.danyork.me/ skype:danyork Phone: +1-802-735-1624 Twitter - http://twitter.com/danyork --Apple-Mail=_01E56D2D-5884-4254-995C-B05DCA64073B Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=iso-8859-1
Looks good to me. Appendix A.4 of RFC 6698[0] = describes the way to do it
(it is similar to DNSSEC key-rollover). I = would recommend reading
Appendix A in full to understand the = implication of certain choices of
matching type and = selector.

Appendix A is great... = but I'm looking to create something that is *extremely*
simple = and easy.  I think it really needs to be tool-based so that people = just
have to run some scripts.

As for tooling, I wrote a (proof of concept) tool = called 'swede'[2] in
January of this year (and updated it when = needed). It has been used to
create the Examples (Appendix C) in RFC = 6698. The code is a bit messy,
but it works. I'm currently = re-implementing it in a more maintainable
fashion (hopefully finished = within a few weeks, but you never = know).

Very cool!  I'm now = watching your repo at:

and will check = out the code and try it out.  I also noticed recently that you = added TLSA support into dnspython although it wasn't immediately clear = to me how to use that support. (dnspython could use some examples = related to dnssec in general... at some point I may go and write some if = no else does that first.)

Thanks for the = suggestions and the link to = swede.

Dan
 

-- 
Dan York  dyork@lodestar2.com
http://www.danyork.me/  &nb= sp;skype:danyork
Phone: = +1-802-735-1624
Twitter - http://twitter.com/danyork

= --Apple-Mail=_01E56D2D-5884-4254-995C-B05DCA64073B-- From paul@cypherpunks.ca Fri Sep 28 10:55:26 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AC8B21F852A for ; Fri, 28 Sep 2012 10:55:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.499 X-Spam-Level: X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599, J_CHICKENPOX_38=0.6] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7fMaDGlRwA93 for ; Fri, 28 Sep 2012 10:55:26 -0700 (PDT) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 2298421F84FA for ; Fri, 28 Sep 2012 10:55:25 -0700 (PDT) Received: by bofh.nohats.ca (Postfix, from userid 500) id 71CA580512; Fri, 28 Sep 2012 13:55:23 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 6662380476; Fri, 28 Sep 2012 13:55:23 -0400 (EDT) Date: Fri, 28 Sep 2012 13:55:23 -0400 (EDT) From: Paul Wouters X-X-Sender: paul@bofh.nohats.ca To: Dan York In-Reply-To: Message-ID: References: <699F0F4D-3E06-44F5-88A4-40C1FC569E98@danyork.org> <50636FA2.6050403@os3.nl> User-Agent: Alpine 2.02 (LFD 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=ISO-8859-15 Content-Transfer-Encoding: 8BIT Cc: dane WG list Subject: Re: [dane] Anyone interested in writing a DANE tutorial? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Sep 2012 17:55:26 -0000 On Fri, 28 Sep 2012, Dan York wrote: > and will check out the code and try it out. I also noticed recently that you added TLSA support into dnspython although it wasn't > immediately clear to me how to use that support. (dnspython could use some examples related to dnssec in general... at some point I may > go and write some if no else does that first.) documentation there is indeed lacking, [paul@bofh ~]$ python Python 2.7.3 (default, Jul 24 2012, 10:05:38) [GCC 4.7.0 20120507 (Red Hat 4.7.0-5)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import dns.resolver >>> answers = dns.resolver.query('_443.import dns.resolver', 'TLSA') >>> answers >>> for rdata in answers: ... print rdata ... 1 0 1 6bcff9a283336dd1ed99a9c40427741b5658863bd54f0a876a2bc4bf8d822112 >>> answers[0].selector 0 >>> answers[0].usage 1 Hope this helps, Note that Pieter's TLSA patch in dnspython has been pushed into Fedora/RHEL a few days ago. It's available in updates-testing and should be available as a released update in a week or so. Paul From dan-ietf@danyork.org Fri Sep 28 11:19:59 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 446CB21F84EB for ; Fri, 28 Sep 2012 11:19:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.998 X-Spam-Level: X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rzAYVCKMP+tw for ; Fri, 28 Sep 2012 11:19:58 -0700 (PDT) Received: from mail-qa0-f44.google.com (mail-qa0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 601F321F84E7 for ; Fri, 28 Sep 2012 11:19:58 -0700 (PDT) Received: by mail-qa0-f44.google.com with SMTP id b10so115943qad.10 for ; Fri, 28 Sep 2012 11:19:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=NXsyYlquBJ6/f1Ecgzkvc5lADn2kkthLMEEB0pLbjII=; b=G/O19QSpgZizARtXhDVWOtQLvg1wFJh/Ou7mjtUZNocfPORvyceUyQWJuhTjL7GDiu aZkifP+xJZVkJDZlY6pg/FYdioaLjICfOkNolxRA3sduKZKNkreYFAQipFPuWfBLZ7FV +PC++LgfAcrmzIDQdr80TdUiIBDj1QgHZV5c1S5KNkSLJjJZIrfNC1ab/9LGMklKcEbK nClHIxVOorCMsCwZV4dAEMpLfSjiZbRo9AZWdR1S+UG9ClN9g01JF5huNLUjCjK69tlz cu3JbWRCy2JUVPZdpCDNokfOTTFfIaQE3zVlqq3VzK36ESVne8aVzBSe43v911m2knkZ jvig== Received: by 10.224.42.138 with SMTP id s10mr18810816qae.21.1348856397804; Fri, 28 Sep 2012 11:19:57 -0700 (PDT) Received: from ?IPv6:2001:470:1f07:309:e835:9054:6823:b7da? ([2001:470:1f07:309:e835:9054:6823:b7da]) by mx.google.com with ESMTPS id dp3sm13436963qab.21.2012.09.28.11.19.56 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 28 Sep 2012 11:19:57 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: multipart/alternative; boundary="Apple-Mail=_B48A60BE-EA57-4ABB-BF2E-5B825167A8C9" From: Dan York In-Reply-To: Date: Fri, 28 Sep 2012 14:19:55 -0400 Message-Id: <56D9F1D8-7D81-485B-B113-11E32C89605F@danyork.org> References: <699F0F4D-3E06-44F5-88A4-40C1FC569E98@danyork.org> To: Paul Wouters X-Mailer: Apple Mail (2.1257) X-Gm-Message-State: ALoCoQlh203PKGrQu7wzsidQFTAq+YQOSCLgwbqQ7U2JRG4K4qS6k25wYeo7bFpzp7HOLg7gJFLf Cc: IETF DANE WG list Subject: Re: [dane] Anyone interested in writing a DANE tutorial? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Sep 2012 18:19:59 -0000 --Apple-Mail=_B48A60BE-EA57-4ABB-BF2E-5B825167A8C9 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Paul, On Sep 26, 2012, at 6:15 PM, Paul Wouters wrote: > On Wed, 26 Sep 2012, Dan York wrote: >=20 >> To this last point about getting more TLSA records published, would = anyone be interested in writing a step-by-step tutorial for how >> to publish a TLSA record? Or collaborating on writing one? >=20 > My slidedeck from Linux Security Summit 2012 had that information. > I'll also be presenting about this at SecTor and ICANN. Nice presentation! For others interested the link is at = http://kernsec.org/files/LinuxCon2012-DNSSEC.pdf There certainly are pieces in there that can be pulled out for a = tutorial. >> Even if someone could sketch out the basic outline of the commands = one would use for the steps above, I'd be glad to write some >> text narrative explaining the commands. >=20 > yum | apt-get install hash-slinger (from = http://people.redhat.com/pwouters/hash-slinger ) Looks like a very nice tool. Before I go trying to see if I can get it = to work on Mac OS X, are you aware of anyone else doing so? (I have an = interest in demo-ing a tool like this at conferences and events - and my = laptop is a Mac.) Thanks for the info and link, Dan --=20 Dan York dyork@lodestar2.com http://www.danyork.me/ skype:danyork Phone: +1-802-735-1624 Twitter - http://twitter.com/danyork --Apple-Mail=_B48A60BE-EA57-4ABB-BF2E-5B825167A8C9 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
On Wed, 26 Sep 2012, Dan York = wrote:

To this last point about getting = more TLSA records published, would anyone be interested in writing a = step-by-step tutorial for how
to= publish a TLSA record?  Or collaborating on writing = one?

My slidedeck from Linux Security Summit 2012 = had that information.
I'll also be presenting about this at SecTor = and ICANN.

Nice presentation! =   For others interested the link is at http://kernsec.o= rg/files/LinuxCon2012-DNSSEC.pdf

There certainly = are pieces in there that can be pulled out for a = tutorial.

Even if someone could sketch out the basic outline of the = commands one would use for the steps above, I'd be glad to write = some
text narrative explaining = the commands.

yum | apt-get install hash-slinger = (from http://people.redh= at.com/pwouters/hash-slinger = )

Looks like a very nice = tool.  Before I go trying to see if I can get it to work on Mac OS = X, are you aware of anyone else doing so?   (I have an interest in = demo-ing a tool like this at conferences and events - and my laptop is a = Mac.)

Thanks for the info and = link,
Dan

-- 
Dan York  dyork@lodestar2.com
http://www.danyork.me/  &nb= sp;skype:danyork
Phone: = +1-802-735-1624
Twitter - http://twitter.com/danyork

= --Apple-Mail=_B48A60BE-EA57-4ABB-BF2E-5B825167A8C9-- From dan-ietf@danyork.org Fri Sep 28 11:42:35 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28A2321F85AD for ; Fri, 28 Sep 2012 11:42:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.296 X-Spam-Level: X-Spam-Status: No, score=0.296 tagged_above=-999 required=5 tests=[AWL=-3.294, BAYES_00=-2.599, FB_WORD1_END_DOLLAR=3.294, FB_WORD2_END_DOLLAR=3.294, HTML_MESSAGE=0.001, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwSBzUbyNbDE for ; Fri, 28 Sep 2012 11:42:34 -0700 (PDT) Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 35B5721F85DA for ; Fri, 28 Sep 2012 11:42:34 -0700 (PDT) Received: by qcac10 with SMTP id c10so1105583qca.31 for ; Fri, 28 Sep 2012 11:42:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:content-type:subject:date:message-id:to:mime-version:x-mailer :x-gm-message-state; bh=yjjvh1RgXXhTcHHiTfdDRFOxrVWxRCdS1hOlizZbDZY=; b=G79hTvJHDQWPc2oba5B6OfOCIf0cq/Ey46OT16z202w83mMx59vgPMiRfObajDtSAS 3m4w3fXT2jQ8qmGh/tI2xrFgdv/ah7f9sK5hOfmexElyfvo6rYS8+j0D/JF1HexF7UxU 5qaZfHsz6OPyxDTwPbJCFPkyGZK9tfYVNA3VHhcd26qM0Oi3PL3WVd7en4Qymv2Qdxiz m/qMr9AKnSnIWzjZ+I2WZjgpLe6CCPtahkAXE9YzdfpC2S6Q09viWRL6jDyv9Er9gOd8 r6gt64qEtzGLffwQFLE0DqnpDN0oxgE0S3mjYnEJeX/SWsvexpip8kstgcdIXzSvhx3u XNbQ== Received: by 10.224.207.8 with SMTP id fw8mr19068193qab.92.1348857753501; Fri, 28 Sep 2012 11:42:33 -0700 (PDT) Received: from ?IPv6:2001:470:1f07:309:e835:9054:6823:b7da? ([2001:470:1f07:309:e835:9054:6823:b7da]) by mx.google.com with ESMTPS id et6sm13494494qab.8.2012.09.28.11.42.32 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 28 Sep 2012 11:42:33 -0700 (PDT) From: Dan York Content-Type: multipart/alternative; boundary="Apple-Mail=_C3E0E682-C69C-4FA7-9548-358347836933" Date: Fri, 28 Sep 2012 14:42:30 -0400 Message-Id: To: IETF DANE WG list Mime-Version: 1.0 (Apple Message framework v1257) X-Mailer: Apple Mail (2.1257) X-Gm-Message-State: ALoCoQnSl1lPgDavS8hr49lqnUqgAd6xysYwc8eClp6WYU1sHPj0tCpjfMT/jsbNLWScXGCbZ0xR Subject: [dane] Version of dig for Mac OS X supporting TLSA records? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Sep 2012 18:42:35 -0000 --Apple-Mail=_C3E0E682-C69C-4FA7-9548-358347836933 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Is there a newer version of 'dig' that supports TLSA records? I just = received this on Mac OS X 10.7.4: ----- dyork$ dig +dnssec -t tlsa torproject.org ;; Warning, ignoring invalid type tlsa ----- Here's the version info I have for dig: ----- dyork$ dig -v DiG 9.7.3-P3 ----- If so, any tips on easily getting a newer version[1]? Does Mountain = Lion include a newer version? Thanks, Dan [1] i.e. outside of going to https://www.isc.org/software/bind and doing = the usual 'configure/make/make install' dance, which I've not actually = tried on Mac OS X --=20 Dan York dyork@lodestar2.com http://www.danyork.me/ skype:danyork Phone: +1-802-735-1624 Twitter - http://twitter.com/danyork --Apple-Mail=_C3E0E682-C69C-4FA7-9548-358347836933 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Is = there a newer version of 'dig' that supports TLSA records?  I just = received this on Mac OS X 10.7.4:
-----
 dyork$ = dig +dnssec -t tlsa torproject.org
;; Warning, = ignoring invalid type = tlsa
-----

Here's the version info I = have for dig:
-----
dyork$ dig -v
DiG = 9.7.3-P3
-----

If so, any tips = on easily getting a newer version[1]?  Does Mountain Lion include a = newer = version?

Thanks,
Dan

[1] i.e. outside of going to https://www.isc.org/software/bi= nd and doing the usual 'configure/make/make install' dance, = which I've not actually tried on Mac OS X

dyork@lodestar2.com
http://www.danyork.me/  &nb= sp;skype:danyork
Phone: = +1-802-735-1624
Twitter - http://twitter.com/danyork



= --Apple-Mail=_C3E0E682-C69C-4FA7-9548-358347836933-- From dan-ietf@danyork.org Fri Sep 28 12:06:39 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD53621F860B for ; Fri, 28 Sep 2012 12:06:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.698 X-Spam-Level: X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_38=0.6, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OVJpbgNWmBmc for ; Fri, 28 Sep 2012 12:06:33 -0700 (PDT) Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id 8C8E121F85DA for ; Fri, 28 Sep 2012 12:06:32 -0700 (PDT) Received: by qabj40 with SMTP id j40so141555qab.10 for ; Fri, 28 Sep 2012 12:06:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=dqIPHL763ITJ6tFC41XJCVLJyZVNMgMvkHfKaKYVXkU=; b=ADIdfi3mvV7JK6hGR1E6I5KpE4aRQHCx4HV5WdktT20hXN9yOolSHB3I563JgB/c1o MWb5GM9PTGH0TOjD/dAb+Q0y9HRLk1kqAvuHy5YA3DdP0L97V8vJUoHVoWqi/ihV+t9U +MPKPEXMrLW4WXt65UxKBj/eLkEamd1MGkTjXtLZ6Zkgm2fOCRBeblY0LzbKIcLn0Ohx dAqBYtgSPeoA6S5snbyYyyrqNECmYnR3Rz63i2THU7S6QEEO15CbuKbCGMYsNAeMmGfn RFZveu16iUK+ygHM/lqUyXI+4HRFM4jsEDvdlL8g5lTamq6KoT/pgfKJeGHIFGL+xoUw ll4Q== Received: by 10.229.135.18 with SMTP id l18mr5262105qct.19.1348859191804; Fri, 28 Sep 2012 12:06:31 -0700 (PDT) Received: from [172.20.12.152] (cpe-74-75-92-114.maine.res.rr.com. [74.75.92.114]) by mx.google.com with ESMTPS id d11sm13563371qaj.18.2012.09.28.12.06.30 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 28 Sep 2012 12:06:31 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: multipart/alternative; boundary="Apple-Mail=_49A48A22-03FE-457B-BBAC-5323D983AA70" From: Dan York In-Reply-To: Date: Fri, 28 Sep 2012 15:06:28 -0400 Message-Id: <9ED27365-3730-40FB-80F2-4EA579C2157A@danyork.org> References: <699F0F4D-3E06-44F5-88A4-40C1FC569E98@danyork.org> <50636FA2.6050403@os3.nl> To: Paul Wouters X-Mailer: Apple Mail (2.1257) X-Gm-Message-State: ALoCoQkCILDMphEYUJ8b/x8yR91ZSip1WnUQZrGxjNVKU/FwmIq22xAmphEBQvMkkl9DDsQLqx9Y Cc: dane WG list Subject: Re: [dane] Anyone interested in writing a DANE tutorial? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Sep 2012 19:06:39 -0000 --Apple-Mail=_49A48A22-03FE-457B-BBAC-5323D983AA70 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Paul On Sep 28, 2012, at 1:55 PM, Paul Wouters wrote: > [paul@bofh ~]$ python > Python 2.7.3 (default, Jul 24 2012, 10:05:38) [GCC 4.7.0 20120507 (Red = Hat 4.7.0-5)] on linux2 > Type "help", "copyright", "credits" or "license" for more information. >>>> import dns.resolver >>>> answers =3D dns.resolver.query('_443.import dns.resolver', 'TLSA') Excellent! Worked beautifully with: import dns.resolver answers=3D dns.resolver.query('_443._tcp.www.torproject.org','TLSA') for rdata in answers: print rdata I can see the TLSA record.=20 So now I have the record... assuming I used dnspython as part of a = larger application I would now be able to compare the record to the TLS = certificate I get from a website. Any code in here to help with the = comparison? Or is that something I would need to do in my code? (i.e. = write a function to do a hash on the TLS certificate and compare that to = the TLSA record) > Hope this helps, It does. > Note that Pieter's TLSA patch in dnspython has been pushed into = Fedora/RHEL a > few days ago. It's available in updates-testing and should be = available > as a released update in a week or so. Great! Thanks, Dan --=20 Dan York dyork@lodestar2.com http://www.danyork.me/ skype:danyork Phone: +1-802-735-1624 Twitter - http://twitter.com/danyork --Apple-Mail=_49A48A22-03FE-457B-BBAC-5323D983AA70 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
[paul@bofh ~]$ = python
Python 2.7.3 (default, Jul 24 2012, 10:05:38) [GCC 4.7.0 = 20120507 (Red Hat 4.7.0-5)] on linux2
Type "help", "copyright", = "credits" or "license" for more information.
import = dns.resolver
answers = =3D dns.resolver.query('_443.import dns.resolver', = 'TLSA')

=
Excellent!  Worked beautifully = with:

   import = dns.resolver
   answers=3D = dns.resolver.query('_443._tcp.www.torproject.org','TLSA')
 =  for rdata in answers:
       print = rdata

I can see the TLSA = record. 

So now I have the record... = assuming I used dnspython as part of a larger application I would now be = able to compare the record to the TLS certificate I get from a website. =  Any code in here to help with the comparison?  Or is that = something I would need to do in my code?  (i.e. write a function to = do a hash on the TLS certificate and compare that to the TLSA = record)

Hope this = helps,

It = does.

Note that Pieter's = TLSA patch in dnspython has been pushed into Fedora/RHEL a
few days = ago. It's available in updates-testing and should be available
as a = released update in a week or = so.

Great!

T= hanks,
Dan

-- 
Dan York  dyork@lodestar2.com
http://www.danyork.me/  &nb= sp;skype:danyork
Phone: = +1-802-735-1624
Twitter - http://twitter.com/danyork

= --Apple-Mail=_49A48A22-03FE-457B-BBAC-5323D983AA70-- From rbarnes@bbn.com Fri Sep 28 13:55:57 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14AA221F85DA for ; Fri, 28 Sep 2012 13:55:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.154 X-Spam-Level: X-Spam-Status: No, score=-103.154 tagged_above=-999 required=5 tests=[AWL=-3.745, BAYES_00=-2.599, FB_WORD1_END_DOLLAR=3.294, FB_WORD2_END_DOLLAR=3.294, HS_INDEX_PARAM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6A1XA90E4oEQ for ; Fri, 28 Sep 2012 13:55:56 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 40DC521F85A0 for ; Fri, 28 Sep 2012 13:55:56 -0700 (PDT) Received: from [128.89.253.58] (port=53620) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1THhbA-000L72-UU; Fri, 28 Sep 2012 16:55:49 -0400 Date: Fri, 28 Sep 2012 22:55:47 +0200 From: Richard Barnes To: Dan York Message-ID: In-Reply-To: References: X-Mailer: sparrow 1.6.3 (build 1172) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="50660ed3_2a00487_7b3" Cc: IETF DANE WG list Subject: Re: [dane] Version of dig for Mac OS X supporting TLSA records? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Sep 2012 20:55:57 -0000 --50660ed3_2a00487_7b3 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline It appears that TLSA support has been added to BIND in version 9.8.3 ... = =20 =E2=80=A6 and that version 9.8.3 ships with Mountain Lion. -- =20 Richard Barnes Sent with Sparrow (http://www.sparrowmailapp.com/=3Fsig) On =46riday, September 28, 2012 at 8:42 PM, Dan York wrote: > Is there a newer version of 'dig' that supports TLSA records=3F I just= received this on Mac OS X 10.7.4: > ----- > dyork=24 dig +dnssec -t tlsa torproject.org (http://torproject.org) > ;; Warning, ignoring invalid type tlsa > ----- > =20 > Here's the version info I have for dig: > ----- > dyork=24 dig -v > DiG 9.7.3-P3 > =20 > ----- > =20 > If so, any tips on easily getting a newer version=5B1=5D=3F Does Mount= ain Lion include a newer version=3F > =20 > Thanks, > Dan > =20 > =5B1=5D i.e. outside of going to https://www.isc.org/software/bind and = doing the usual 'configure/make/make install' dance, which I've not actua= lly tried on Mac OS X > =20 > -- =20 > Dan York dyork=40lodestar2.com (mailto:dyork=40lodestar2.com) > http://www.danyork.me/ (http://www.danyork.com/) skype:danyork > Phone: +1-802-735-1624 > Twitter - http://twitter.com/danyork > =20 > =20 > =20 > =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F > dane mailing list > dane=40ietf.org (mailto:dane=40ietf.org) > https://www.ietf.org/mailman/listinfo/dane > =20 > =20 --50660ed3_2a00487_7b3 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline
It appears that TLSA support has been added to BIND i= n version 9.8.3 ...
<https://lists.isc.org/pipermail/bind-users= /2012-May/087723.html>

=E2=80=A6 and that ver= sion 9.8.3 ships with Mountain Lion.
<http://support.apple.c= om/kb/HT5501>


-- 
Richard Barne= s
Sent with Sparrow

=20

On =46riday, September= 28, 2012 at 8:42 PM, Dan York wrote:

Is there a newer version of 'dig' tha= t supports TLSA records=3F  I just received this on Mac OS X 10.7.4:=
-----
 dyork=24 dig +dnssec -t tlsa torproject.org
;; Warning, ignorin= g invalid type tlsa
-----

Here's the v= ersion info I have for dig:
-----
dyork=24 dig -= v
DiG 9.7.3-P3
-----

I= f so, any tips on easily getting a newer version=5B1=5D=3F  Does Mou= ntain Lion include a newer version=3F

Thanks,
Dan

=5B1=5D i.e. outside of going to&nbs= p;https://www.isc.org/s= oftware/bind and doing the usual 'configure/make/make install' d= ance, which I've not actually tried on Mac OS X

-- 
Dan York  dyork=40lodestar2.com
http://www.danyork.me/   = ;skype:danyork
Phone: +1-802-735-162= 4
Twitter - http://twi= tter.com/danyork



=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F
dane mailing list
=20 =20 =20 =20
=20

--50660ed3_2a00487_7b3-- From shuque@upenn.edu Fri Sep 28 14:04:42 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 862CD21F859A for ; Fri, 28 Sep 2012 14:04:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 4.589 X-Spam-Level: **** X-Spam-Status: No, score=4.589 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FB_WORD1_END_DOLLAR=3.294, FB_WORD2_END_DOLLAR=3.294, HS_INDEX_PARAM=0.001, J_CHICKENPOX_57=0.6, NO_RELAYS=-0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iPoEct-iuN7Y for ; Fri, 28 Sep 2012 14:04:41 -0700 (PDT) Received: from mopeypopo.net.isc.upenn.edu (www.huque.com [IPv6:2607:f470:2:1::a:2]) by ietfa.amsl.com (Postfix) with ESMTP id CA27821F8476 for ; Fri, 28 Sep 2012 14:04:41 -0700 (PDT) Received: by mopeypopo.net.isc.upenn.edu (Postfix, from userid 500) id 84483A4F3A; Fri, 28 Sep 2012 17:04:40 -0400 (EDT) Date: Fri, 28 Sep 2012 17:04:40 -0400 From: Shumon Huque To: Richard Barnes Message-ID: <20120928210440.GA15004@isc.upenn.edu> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Organization: University of Pennsylvania User-Agent: Mutt/1.5.21 (2010-09-15) Cc: IETF DANE WG list Subject: Re: [dane] Version of dig for Mac OS X supporting TLSA records? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Sep 2012 21:04:42 -0000 With older versions of dig, you can also just specify the TLSA RR type code (52). eg. $ dig _443._tcp.fedoraproject.org. TYPE52 [...] ;; ANSWER SECTION: _443._tcp.fedoraproject.org. 236 IN TYPE52 \# 35 030001F4BF2EAD76DA47E2EB64D6BD80335B276574E8E62617908D49 17F19E75920F22 The RDATA is pretty easy to decode, the first 3 octets are the usage (03), selector (00) and match type (01). The rest of the cert data. --Shumon. On Fri, Sep 28, 2012 at 10:55:47PM +0200, Richard Barnes wrote: > It appears that TLSA support has been added to BIND in version 9.8.3 ... > > > ??? and that version 9.8.3 ships with Mountain Lion. > > > > -- > Richard Barnes > Sent with Sparrow (http://www.sparrowmailapp.com/?sig) > > > On Friday, September 28, 2012 at 8:42 PM, Dan York wrote: > > > Is there a newer version of 'dig' that supports TLSA records? I just received this on Mac OS X 10.7.4: > > ----- > > dyork$ dig +dnssec -t tlsa torproject.org (http://torproject.org) > > ;; Warning, ignoring invalid type tlsa > > ----- > > > > Here's the version info I have for dig: > > ----- > > dyork$ dig -v > > DiG 9.7.3-P3 > > > > ----- > > > > If so, any tips on easily getting a newer version[1]? Does Mountain Lion include a newer version? > > > > Thanks, > > Dan > > > > [1] i.e. outside of going to https://www.isc.org/software/bind and doing the usual 'configure/make/make install' dance, which I've not actually tried on Mac OS X > > > > -- > > Dan York dyork@lodestar2.com (mailto:dyork@lodestar2.com) > > http://www.danyork.me/ (http://www.danyork.com/) skype:danyork > > Phone: +1-802-735-1624 > > Twitter - http://twitter.com/danyork > > > > > > > > _______________________________________________ > > dane mailing list > > dane@ietf.org (mailto:dane@ietf.org) > > https://www.ietf.org/mailman/listinfo/dane > > > > > > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane -- Shumon Huque University of Pennsylvania. From marka@isc.org Fri Sep 28 20:35:21 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FD4021F8611 for ; Fri, 28 Sep 2012 20:35:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.98 X-Spam-Level: X-Spam-Status: No, score=0.98 tagged_above=-999 required=5 tests=[AWL=-3.609, BAYES_00=-2.599, FB_WORD1_END_DOLLAR=3.294, FB_WORD2_END_DOLLAR=3.294, J_CHICKENPOX_57=0.6] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bl08z9rfqUbl for ; Fri, 28 Sep 2012 20:35:20 -0700 (PDT) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id 420D721F860E for ; Fri, 28 Sep 2012 20:35:20 -0700 (PDT) Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.pao1.isc.org (Postfix) with ESMTPS id EE698C9498; Sat, 29 Sep 2012 03:35:08 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (c211-30-172-21.carlnfd1.nsw.optusnet.com.au [211.30.172.21]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 5BDD8216C3B; Sat, 29 Sep 2012 03:35:08 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id B4DC12822CF1; Sat, 29 Sep 2012 13:35:05 +1000 (EST) To: Dan York From: Mark Andrews References: In-reply-to: Your message of "Fri, 28 Sep 2012 14:42:30 -0400." Date: Sat, 29 Sep 2012 13:35:05 +1000 Message-Id: <20120929033505.B4DC12822CF1@drugs.dv.isc.org> Cc: IETF DANE WG list Subject: Re: [dane] Version of dig for Mac OS X supporting TLSA records? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Sep 2012 03:35:21 -0000 In message , Dan York writes: > Is there a newer version of 'dig' that supports TLSA records? I just = > received this on Mac OS X 10.7.4: > ----- > dyork$ dig +dnssec -t tlsa torproject.org > ;; Warning, ignoring invalid type tlsa > ----- dig +dnssec type53 torproject.org > Here's the version info I have for dig: > ----- > dyork$ dig -v > DiG 9.7.3-P3 > ----- > > If so, any tips on easily getting a newer version[1]? Does Mountain = > Lion include a newer version? Yes % /usr/bin/dig tlsa . ; <<>> DiG 9.8.3-P1 <<>> tlsa . ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30368 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;. IN TLSA ;; AUTHORITY SECTION: . 10762 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2012092801 1800 900 604800 86400 ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Sep 29 13:31:37 2012 ;; MSG SIZE rcvd: 92 % uname -a Darwin drugs.dv.isc.org 12.2.0 Darwin Kernel Version 12.2.0: Sat Aug 25 00:48:52 PDT 2012; root:xnu-2050.18.24~1/RELEASE_X86_64 x86_64 % > Thanks, > Dan > > [1] i.e. outside of going to https://www.isc.org/software/bind and doing = > the usual 'configure/make/make install' dance, which I've not actually = > tried on Mac OS X > > --=20 > Dan York dyork@lodestar2.com > http://www.danyork.me/ skype:danyork > Phone: +1-802-735-1624 > Twitter - http://twitter.com/danyork > > > > > --Apple-Mail=_C3E0E682-C69C-4FA7-9548-358347836933 > Content-Transfer-Encoding: quoted-printable > Content-Type: text/html; > charset=us-ascii > > -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Is = > there a newer version of 'dig' that supports TLSA records?  I just = > received this on Mac OS X 10.7.4:
-----
 dyork$ = > dig +dnssec -t tlsa href=3D"http://torproject.org">torproject.org
;; Warning, = > ignoring invalid type = > tlsa
-----

Here's the version info I = > have for dig:
-----
dyork$ dig -v
DiG = > 9.7.3-P3
-----

If so, any tips = > on easily getting a newer version[1]?  Does Mountain Lion include a = > newer = > version?

Thanks,
Dan

v>
[1] i.e. outside of going to  href=3D"https://www.isc.org/software/bind">https://www.isc.org/software/bi= > nd and doing the usual 'configure/make/make install' dance, = > which I've not actually tried on Mac OS X

apple-content-edited=3D"true"> >
-webkit-line-break: after-white-space; ">
break-word; -webkit-nbsp-mode: space; -webkit-line-break: = > after-white-space; ">
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; = > ">-- 
Dan York   href=3D"mailto:dyork@lodestar2.com">dyork@lodestar2.com
href=3D"http://www.danyork.com/">http://www.danyork.me/  &nb= > sp;skype:danyork
Phone: = > +1-802-735-1624
Twitter -  href=3D"http://twitter.com/danyork">http://twitter.com/danyork
iv style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; = > -webkit-line-break: after-white-space; ">

class=3D"Apple-interchange-newline"> >
>
= > > --Apple-Mail=_C3E0E682-C69C-4FA7-9548-358347836933-- > > --===============3012269988459674267== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane > > --===============3012269988459674267==-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From dan-ietf@danyork.org Sat Sep 29 01:57:16 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3331E21F8467 for ; Sat, 29 Sep 2012 01:57:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.156 X-Spam-Level: * X-Spam-Status: No, score=1.156 tagged_above=-999 required=5 tests=[AWL=-3.056, BAYES_00=-2.599, FB_WORD1_END_DOLLAR=3.294, FB_WORD2_END_DOLLAR=3.294, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uDQugHTHgGTN for ; Sat, 29 Sep 2012 01:57:14 -0700 (PDT) Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44]) by ietfa.amsl.com (Postfix) with ESMTP id BAD2E21F8432 for ; Sat, 29 Sep 2012 01:57:14 -0700 (PDT) Received: by oagn5 with SMTP id n5so4481457oag.31 for ; Sat, 29 Sep 2012 01:57:14 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=qBkrCRMDHkhvHYBLLfNmdDv8pKN3G7zOgGRsh0N7epw=; b=pU5V1ET7J+XNyIMB9gwCq4wGVFAax5C71X2jHGSSV7HnT7w4kiHYntQb2tNNiBO/dy SGK3KPjbSGjQ4aeyahumOT2xWWsFr8qBQXTdxz7YOEqxirMbjuoPBRrllostJUiwT5P2 qRszTUu0qZx0T8VxEBVko0bBnRlGu3dpes67hQGX/YZKanDUBQRzN60hGCrbBxqHIdvJ lLQybQeH9xT1JoH+G1J45sBvAONT/uDtAfv096DGcu3ePRy7CR0kWrvTqA9Cae47oief iHZom4qf/KBVt/UygdTllFTyqUaA1d1k9pF654bZ2aFfPTXHITwor63BR7Px5vRN6jB9 7nIw== MIME-Version: 1.0 Received: by 10.60.25.106 with SMTP id b10mr5450577oeg.7.1348909034213; Sat, 29 Sep 2012 01:57:14 -0700 (PDT) Received: by 10.182.67.100 with HTTP; Sat, 29 Sep 2012 01:57:14 -0700 (PDT) X-Originating-IP: [2001:470:1f07:309:41d7:4f9f:240e:6f2] In-Reply-To: <20120929033505.B4DC12822CF1@drugs.dv.isc.org> References: <20120929033505.B4DC12822CF1@drugs.dv.isc.org> Date: Sat, 29 Sep 2012 04:57:14 -0400 Message-ID: From: Dan York To: Mark Andrews Content-Type: multipart/alternative; boundary=e89a8ff2562cd192d904cad35bc4 X-Gm-Message-State: ALoCoQlh2m7BzkTWPfo7m2if//tPMFtOSj1+/6GNbMfdgl8HwaxbwNRWwxsYS7ljEwK7p30j90vx Cc: IETF DANE WG list Subject: Re: [dane] Version of dig for Mac OS X supporting TLSA records? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Sep 2012 08:57:16 -0000 --e89a8ff2562cd192d904cad35bc4 Content-Type: text/plain; charset=ISO-8859-1 Thank you, Richard, Shumon and Mark, for both the news that Mountain Lion has the newer version of dig and also how to run TLSA queries using the older version of dig. Very useful and I will capture those points in a tutorial blog post. I guess I will block out some time to upgrade my laptop soon. Thanks, Dan On Friday, September 28, 2012, Mark Andrews wrote: > > In message >, > Dan York writes: > > Is there a newer version of 'dig' that supports TLSA records? I just = > > received this on Mac OS X 10.7.4: > > ----- > > dyork$ dig +dnssec -t tlsa torproject.org > > ;; Warning, ignoring invalid type tlsa > > ----- > > dig +dnssec type53 torproject.org > > > Here's the version info I have for dig: > > ----- > > dyork$ dig -v > > DiG 9.7.3-P3 > > ----- > > > > If so, any tips on easily getting a newer version[1]? Does Mountain = > > Lion include a newer version? > > Yes > > % /usr/bin/dig tlsa . > > ; <<>> DiG 9.8.3-P1 <<>> tlsa . > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30368 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;. IN TLSA > > ;; AUTHORITY SECTION: > . 10762 IN SOA a.root-servers.net. > nstld.verisign-grs.com. 2012092801 1800 900 604800 86400 > > ;; Query time: 2 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Sat Sep 29 13:31:37 2012 > ;; MSG SIZE rcvd: 92 > > % uname -a > Darwin drugs.dv.isc.org 12.2.0 Darwin Kernel Version 12.2.0: Sat Aug 25 > 00:48:52 PDT 2012; root:xnu-2050.18.24~1/RELEASE_X86_64 x86_64 > % > > > Thanks, > > Dan > > > > [1] i.e. outside of going to https://www.isc.org/software/bind and > doing = > > the usual 'configure/make/make install' dance, which I've not actually = > > tried on Mac OS X > > > > --=20 > > Dan York dyork@lodestar2.com > > http://www.danyork.me/ skype:danyork > > Phone: +1-802-735-1624 > > Twitter - http://twitter.com/danyork > > > > > > > > > > --Apple-Mail=_C3E0E682-C69C-4FA7-9548-358347836933 > > Content-Transfer-Encoding: quoted-printable > > Content-Type: text/html; > > charset=us-ascii > > > > > -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Is = > > there a newer version of 'dig' that supports TLSA records?  I just = > > received this on Mac OS X 10.7.4:
-----
 dyork$ = > > dig +dnssec -t tlsa > href=3D"http://torproject.org">torproject.org
;; Warning, > = > > ignoring invalid type = > > tlsa
-----

Here's the version info I = > > have for dig:
-----
dyork$ dig -v
DiG > = > > 9.7.3-P3
-----

If so, any tips = > > on easily getting a newer version[1]?  Does Mountain Lion include a > = > > newer = > > > version?

Thanks,
Dan

> v>
[1] i.e. outside of going to  > href=3D"https://www.isc.org/software/bind"> > https://www.isc.org/software/bi= > > nd and doing the usual 'configure/make/make install' dance, = > > which I've not actually tried on Mac OS X

> apple-content-edited=3D"true"> > >
> -webkit-line-break: after-white-space; ">
> break-word; -webkit-nbsp-mode: space; -webkit-line-break: = > > after-white-space; ">
> -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; = > > ">-- 
Dan York   > href=3D"mailto:dyork@lodestar2.com ">dyork@lodestar2.com
= > > href=3D"http://www.danyork.com/">http://www.danyork.me/ >   &nb= > > sp;skype:danyork
Phone: = > > +1-802-735-1624
Twitter -  > href=3D"http://twitter.com/danyork">http://twitter.com/danyork >
> iv style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; = > > -webkit-line-break: after-white-space; ">

= > > class=3D"Apple-interchange-newline"> > >
> >
= > > > > --Apple-Mail=_C3E0E682-C69C-4FA7-9548-358347836933-- > > > > --===============3012269988459674267== > > Content-Type: text/plain; charset="us-ascii" > > MIME-Version: 1.0 > > Content-Transfer-Encoding: 7bit > > Content-Disposition: inline > > > > _______________________________________________ > > dane mailing list > > dane@ietf.org > > https://www.ietf.org/mailman/listinfo/dane > > > > --===============3012269988459674267==-- > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > -- -- Dan York, dan-ietf@danyork.org http://danyork.me http://twitter.com/danyork --e89a8ff2562cd192d904cad35bc4 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Thank you, Richard, Shumon and Mark, for both the news that Mountain Lion h= as the newer version of dig and also how to run TLSA queries using the olde= r version of dig. Very useful and I will capture those points in a tutorial= blog post. I guess I will block out some time to upgrade my laptop soon.

Thanks,
Dan

On Friday, September 28, 2012, = Mark Andrews wrote:

In message <DE03CDCF-C62= 0-4E0D-8A45-417573809B64@danyork.org>, Dan York writes:
> Is there a newer version of 'dig' that supports TLSA records? = =A0I just =3D
> received this on Mac OS X 10.7.4:
> -----
> =A0dyork$ dig +dnssec -t tlsa torproject.org
> ;; Warning, ignoring invalid type tlsa
> -----

dig +dnssec type53 torp= roject.org

> Here's the version info I have for dig:
> -----
> dyork$ dig -v
> DiG 9.7.3-P3
> -----
>
> If so, any tips on easily getting a newer version[1]? =A0Does Mountain= =3D
> Lion include a newer version?

Yes

% /usr/bin/dig tlsa .

; <<>> DiG 9.8.3-P1 <<>> tlsa .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30368
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0IN =A0 =A0 = =A0TLSA

;; AUTHORITY SECTION:
. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 10762 =A0 IN =A0 =A0 =A0SOA = =A0 =A0 a.root-serv= ers.net. ns= tld.verisign-grs.com. 2012092801 1800 900 604800 86400

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Sep 29 13:31:37 2012
;; MSG SIZE =A0rcvd: 92

% uname -a
Darwin drugs.dv.isc.o= rg 12.2.0 Darwin Kernel Version 12.2.0: Sat Aug 25 00:48:52 PDT 2012; r= oot:xnu-2050.18.24~1/RELEASE_X86_64 x86_64
%

> Thanks,
> Dan
>
> [1] i.e. outside of going to https://www.isc.org/software/bind and doing =3D<= br> > the usual 'configure/make/make install' dance, which I've = not actually =3D
> tried on Mac OS X
>
> --=3D20
> Dan York =A0dyork@lodestar2.com
> http://www.danyor= k.me/ =A0 skype:danyork
> Phone: +1-802-735-1624
> Twitter - htt= p://twitter.com/danyork
>
>
>
>
> --Apple-Mail=3D_C3E0E682-C69C-4FA7-9548-358347836933
> Content-Transfer-Encoding: quoted-printable
> Content-Type: text/html;
> =A0 =A0 =A0 charset=3Dus-ascii
>
> <html><head></head><body style=3D3D"word-wra= p: break-word; =3D
> -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "= ;>Is =3D
> there a newer version of 'dig' that supports TLSA records? &am= p;nbsp;I just =3D
> received this on Mac OS X 10.7.4:<div>-----</div><div&g= t;<div>&nbsp;dyork$ =3D
> dig +dnssec -t tlsa <a =3D
> href=3D3D"htt= p://torproject.org">torproject.org</a></div><div>;; Warning, =3D=
> ignoring invalid type =3D
> tlsa</div><div>-----</div><div><br></= div><div>Here's the version info I =3D
> have for dig:</div><div>-----</div><div><di= v>dyork$ dig -v</div><div>DiG =3D
> 9.7.3-P3</div></div><div>-----</div><div>= ;<br></div><div>If so, any tips =3D
> on easily getting a newer version[1]? &nbsp;Does Mountain Lion inc= lude a =3D
> newer =3D
> version?</div><div><br></div><div>Thanks= ,</div><div>Dan</div><div><br></di=3D
> v><div>[1] i.e. outside of going to&nbsp;<a =3D
> href=3D3D"https://www.isc.org/software/bind">https://www.isc.org/software/= bi=3D
> nd</a>&nbsp;and doing the usual 'configure/make/make ins= tall' dance, =3D
> which I've not actually tried on Mac OS X</div><div>&l= t;br></div><div =3D
> apple-content-edited=3D3D"true">
> <div style=3D3D"word-wrap: break-word; -webkit-nbsp-mode: spac= e; =3D
> -webkit-line-break: after-white-space; "><div style=3D3D&qu= ot;word-wrap: =3D
> break-word; -webkit-nbsp-mode: space; -webkit-line-break: =3D
> after-white-space; "><div><div style=3D3D"word-w= rap: break-word; =3D
> -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =3D > ">--&nbsp;<br>Dan York &nbsp;<a =3D
> href=3D3D"mailto:dyork@lodestar2.com"= >dyork@lodestar2.com</a><br><a =3D=
> href=3D3D"h= ttp://www.danyork.com/">http://www.danyork.me/</a>&nbsp;&nbsp;&= nb=3D
> sp;<a href=3D3D"skype:danyork">skype:danyork</a>= <br>Phone: =3D
> +1-802-735-1624<br>Twitter -&nbsp;<a =3D
> href=3D3D"http://twitter.com/danyork">http://twitter.com/danyork</a></div>= ;<d=3D
> iv style=3D3D"word-wrap: break-word; -webkit-nbsp-mode: space; = =3D
> -webkit-line-break: after-white-space; "><br></div>= ;</div></div></div><br =3D
> class=3D3D"Apple-interchange-newline">
> </div>
> <br></div></body></html>=3D
>
> --Apple-Mail=3D_C3E0E682-C69C-4FA7-9548-358347836933--
>
> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D3012269988459674267=3D= =3D
> Content-Type: text/plain; charset=3D"us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
>
> --=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D3012269988459674267=3D= =3D--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 INTERNET: marka@isc.org


--
--
=
--e89a8ff2562cd192d904cad35bc4-- From paul@cypherpunks.ca Sat Sep 29 11:24:14 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A0B621F8513 for ; Sat, 29 Sep 2012 11:24:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.878 X-Spam-Level: X-Spam-Status: No, score=0.878 tagged_above=-999 required=5 tests=[AWL=-3.711, BAYES_00=-2.599, FB_WORD1_END_DOLLAR=3.294, FB_WORD2_END_DOLLAR=3.294, J_CHICKENPOX_23=0.6] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MAfcP3GSPW2I for ; Sat, 29 Sep 2012 11:24:13 -0700 (PDT) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 9E45621F84D1 for ; Sat, 29 Sep 2012 11:24:13 -0700 (PDT) Received: by bofh.nohats.ca (Postfix, from userid 500) id EEA7581161; Sat, 29 Sep 2012 14:24:11 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id E248B81019; Sat, 29 Sep 2012 14:24:11 -0400 (EDT) Date: Sat, 29 Sep 2012 14:24:11 -0400 (EDT) From: Paul Wouters X-X-Sender: paul@bofh.nohats.ca To: Dan York In-Reply-To: Message-ID: References: <20120929033505.B4DC12822CF1@drugs.dv.isc.org> User-Agent: Alpine 2.02 (LFD 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=ISO-8859-15 Content-Transfer-Encoding: 8BIT Cc: Jake Appelbaum , IETF DANE WG list Subject: Re: [dane] Version of dig for Mac OS X supporting TLSA records? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Sep 2012 18:24:14 -0000 On Sat, 29 Sep 2012, Dan York wrote: > On Friday, September 28, 2012, Mark Andrews wrote: > > In message , Dan York writes: > > Is there a newer version of 'dig' that supports TLSA records? I just = > > received this on Mac OS X 10.7.4: > > ----- > > dyork$ dig +dnssec -t tlsa torproject.org > > ;; Warning, ignoring invalid type tlsa > > ----- > > dig +dnssec type53 torproject.org http://www.iana.org/assignments/dns-parameters Note the RRtype for TLSA is 52, not 53. note also that it is located in a prefix, so use: dig +dnssec type52 _443._tcp.www.torproject.org It seems torproject.org has no TLSA record, only www.torproject.org does, so CC:ing Jake so he can ping the right people to fix that Paul Paul From peter@palfrader.org Sat Sep 29 11:28:22 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 754A321F8464 for ; Sat, 29 Sep 2012 11:28:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.556 X-Spam-Level: X-Spam-Status: No, score=-1.556 tagged_above=-999 required=5 tests=[AWL=-1.044, BAYES_05=-1.11, J_CHICKENPOX_23=0.6, NO_RELAYS=-0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J6VoMo89CdLy for ; Sat, 29 Sep 2012 11:28:22 -0700 (PDT) Received: from anguilla.debian.or.at (anguilla.debian.or.at [IPv6:2001:858:10f:6::2]) by ietfa.amsl.com (Postfix) with ESMTP id CA43921F845B for ; Sat, 29 Sep 2012 11:28:21 -0700 (PDT) Received: by anguilla.debian.or.at (Postfix, from userid 1002) id DCAC410E805; Sat, 29 Sep 2012 20:28:20 +0200 (CEST) Date: Sat, 29 Sep 2012 20:28:20 +0200 From: Peter Palfrader To: Paul Wouters Message-ID: <20120929182820.GL23834@anguilla.noreply.org> References: <20120929033505.B4DC12822CF1@drugs.dv.isc.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Cc: Jake Appelbaum , IETF DANE WG list Subject: Re: [dane] Version of dig for Mac OS X supporting TLSA records? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Sep 2012 18:28:22 -0000 On Sat, 29 Sep 2012, Paul Wouters wrote: > On Sat, 29 Sep 2012, Dan York wrote: > > dig +dnssec type53 torproject.org > > Note the RRtype for TLSA is 52, not 53. note also that it is located in > a prefix, so use: > > dig +dnssec type52 _443._tcp.www.torproject.org > > It seems torproject.org has no TLSA record, only www.torproject.org does, > so CC:ing Jake so he can ping the right people to fix that Added. Cheers, -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `- http://www.debian.org/ From warren@kumari.net Sun Sep 30 02:00:13 2012 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B78EB21F84F8 for ; Sun, 30 Sep 2012 02:00:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.411 X-Spam-Level: X-Spam-Status: No, score=-100.411 tagged_above=-999 required=5 tests=[AWL=-0.201, BAYES_05=-1.11, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g5lXpQEEbxLl for ; Sun, 30 Sep 2012 02:00:13 -0700 (PDT) Received: from vimes.kumari.net (smtp1.kumari.net [204.194.22.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11E8121F84A7 for ; Sun, 30 Sep 2012 02:00:12 -0700 (PDT) Received: from [192.168.1.201] (62-50-227-158.client.stsn.net [62.50.227.158]) by vimes.kumari.net (Postfix) with ESMTPSA id 2D76A1B4044C; Sun, 30 Sep 2012 05:00:11 -0400 (EDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 6.1 \(1498\)) From: Warren Kumari In-Reply-To: Date: Sun, 30 Sep 2012 11:00:17 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= X-Mailer: Apple Mail (2.1498) Cc: dane WG list Subject: Re: [dane] IETF 85 - meet or not to meet? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Sep 2012 09:00:13 -0000 On Sep 24, 2012, at 3:10 PM, Ond=C5=99ej Sur=C3=BD = wrote: > More specifically, we are going to cancel the session after Oct 4th = unless we hear from you that you want to meet and we have an agenda. >=20 Apologies all -- due to the contention for meeting slots and the = difficulty of scheduling all these slots we are moving the cutoff to the = 2nd. W > O. >=20 > On 23. 9. 2012, at 12:28, Ond=C5=99ej Sur=C3=BD = wrote: >=20 >> Dear WG, >>=20 >> we did register a slot for IETF 85 (just in case), but from the = volume of the mailing list and just one WG draft (we have just adopted), = we are quite unsure if there's enough interest in meeting. >>=20 >> I am personally inclined of canceling this meeting and reschedule for = next year. >>=20 >> Any comments (if saying yes, please also say why and attach an agenda = item suggestion :))? >>=20 >> O. >> -- >> Ond=C5=99ej Sur=C3=BD -- Chief Science Officer >> ------------------------------------------- >> CZ.NIC, z.s.p.o. -- Laborato=C5=99e CZ.NIC >> Americka 23, 120 00 Praha 2, Czech Republic >> mailto:ondrej.sury@nic.cz http://nic.cz/ >> tel:+420.222745110 fax:+420.222745112 >> ------------------------------------------- >>=20 >> _______________________________________________ >> dane mailing list >> dane@ietf.org >> https://www.ietf.org/mailman/listinfo/dane >=20 > -- > Ond=C5=99ej Sur=C3=BD -- Chief Science Officer > ------------------------------------------- > CZ.NIC, z.s.p.o. -- Laborato=C5=99e CZ.NIC > Americka 23, 120 00 Praha 2, Czech Republic > mailto:ondrej.sury@nic.cz http://nic.cz/ > tel:+420.222745110 fax:+420.222745112 > ------------------------------------------- >=20 > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane