From nobody Fri Jul 8 08:05:48 2016 Return-Path: X-Original-To: dane@ietf.org Delivered-To: dane@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 13EED12D749; Fri, 8 Jul 2016 08:05:46 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: X-Test-IDTracker: no X-IETF-IDTracker: 6.25.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20160708150546.32103.29674.idtracker@ietfa.amsl.com> Date: Fri, 08 Jul 2016 08:05:46 -0700 Archived-At: Cc: dane@ietf.org Subject: [dane] I-D Action: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 15:05:46 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the DNS-based Authentication of Named Entities of the IETF. Title : Using Secure DNS to Associate Certificates with Domain Names For S/MIME Authors : Paul Hoffman Jakob Schlyter Filename : draft-ietf-dane-smime-11.txt Pages : 10 Date : 2016-07-08 Abstract: This document describes how to use secure DNS to associate an S/MIME user's certificate with the intended domain name, similar to the way that DANE (RFC 6698) does for TLS. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dane-smime/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-dane-smime-11 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dane-smime-11 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Fri Jul 8 08:36:04 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C14A312D7CA for ; Fri, 8 Jul 2016 08:36:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vhdsbTWZxsyq for ; Fri, 8 Jul 2016 08:35:55 -0700 (PDT) Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 482BA12D825 for ; Fri, 8 Jul 2016 08:35:55 -0700 (PDT) Received: from [10.32.60.87] (142-254-101-201.dsl.dynamic.fusionbroadband.com [142.254.101.201]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id u68FZs0L059076 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 8 Jul 2016 08:35:54 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: mail.proper.com: Host 142-254-101-201.dsl.dynamic.fusionbroadband.com [142.254.101.201] claimed to be [10.32.60.87] From: "Paul Hoffman" To: dane@ietf.org Date: Fri, 08 Jul 2016 08:35:53 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Mailer: MailMate (1.9.4r5234) Archived-At: Subject: [dane] draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 15:36:02 -0000 Greetings. Jakob and I have made a large number of changes to draft-ietf-dane-smime to incorporate the related WG changes that were made to draft-ietf-dane-openpgpkey during its last calls. We think draft-ietf-dane-smime-11 is ready for WG Last Call and progression. --Jakob Schlyter and Paul Hoffman From nobody Fri Jul 8 12:40:58 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8EE512D0AF for ; Fri, 8 Jul 2016 12:40:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.326 X-Spam-Level: X-Spam-Status: No, score=-3.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PZKb3pUqr2WI for ; Fri, 8 Jul 2016 12:40:54 -0700 (PDT) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5438B12D0D3 for ; Fri, 8 Jul 2016 12:40:54 -0700 (PDT) Received: from hebrews (24.21.96.37) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Fri, 8 Jul 2016 12:47:10 -0700 From: Jim Schaad To: 'Paul Hoffman' , References: In-Reply-To: Date: Fri, 8 Jul 2016 12:40:46 -0700 Message-ID: <01af01d1d950$a0dfaf00$e29f0d00$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQHAhUnkNwYMBtpcgBoOdfpHdO5pwaAxk36g Content-Language: en-us X-Originating-IP: [24.21.96.37] Archived-At: Subject: Re: [dane] draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 19:40:57 -0000 Since I have never been in the camp of believing that the email matching problem has been solved, I have not really looked very hard at these drafts. However, in the process of getting updates to S/MIME ready I got an item pinged into my mind that they probably need to address. How are the capabilities of an S/MIME client for encryption to be obtained as part of this query? Today getting a signed message will provide those capabilities, it is possible to put them into a certificate (RFC 4262) but this has problems when they change (you need to get a new certificate) and LDAP has the userSMIMECertificate field which contains both the certificates and the capabilities. Since knowing what content encryption algorithm is supported can be considered critical, this should be covered in the draft. Jim > -----Original Message----- > From: dane [mailto:dane-bounces@ietf.org] On Behalf Of Paul Hoffman > Sent: Friday, July 08, 2016 8:36 AM > To: dane@ietf.org > Subject: [dane] draft-ietf-dane-smime-11.txt > > Greetings. Jakob and I have made a large number of changes to draft-ietf-dane- > smime to incorporate the related WG changes that were made to draft-ietf- > dane-openpgpkey during its last calls. We think > draft-ietf-dane-smime-11 is ready for WG Last Call and progression. > > --Jakob Schlyter and Paul Hoffman > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane From nobody Sat Jul 9 09:53:23 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F008127077 for ; Sat, 9 Jul 2016 09:53:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VpVV1yPIsaKc for ; Sat, 9 Jul 2016 09:53:19 -0700 (PDT) Received: from smtp108.iad3a.emailsrvr.com (smtp108.iad3a.emailsrvr.com [173.203.187.108]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4309F1200DF for ; Sat, 9 Jul 2016 09:53:18 -0700 (PDT) Received: from smtp30.relay.iad3a.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp30.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 90CB4380B6D for ; Sat, 9 Jul 2016 12:53:15 -0400 (EDT) X-Auth-ID: ogud@ogud.com Received: by smtp30.relay.iad3a.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id 81DE4380B5D for ; Sat, 9 Jul 2016 12:53:15 -0400 (EDT) X-Sender-Id: ogud@ogud.com Received: from [10.20.30.43] (pool-173-66-187-177.washdc.fios.verizon.net [173.66.187.177]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:587 (trex/5.5.4); Sat, 09 Jul 2016 12:53:15 -0400 From: Olafur Gudmundsson Content-Type: multipart/alternative; boundary="Apple-Mail=_F4F14D26-376A-4703-987E-C643AFE56C94" Message-Id: Date: Sat, 9 Jul 2016 12:53:18 -0400 To: dane WG list Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) Archived-At: Subject: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2016 16:53:21 -0000 --Apple-Mail=_F4F14D26-376A-4703-987E-C643AFE56C94 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Dear Colleagues=20 The editors of https://datatracker.ietf.org/doc/draft-ietf-dane-smime/ = have requested = a WGLC,=20 the chairs are satisfied that the document is in good shape. This = message starts a three week WG LC,=20 that concludes on Monday July 25 23:59 UTC (we have extended the usual 2 weeks because of the upcoming meeting, travel, etc). This document is on the Experimental track, it is a close relative of a = prior document from our group https://datatracker.ietf.org/doc/draft-ietf-dane-openpgpkey/ = which is = in AUTH-48 at this point.=20 Any discussions on =E2=80=9Clocal part=E2=80=9D other than to point out = a difference between the OPENPGP document and this one are=20 out of scope.=20 Any other issues should be brought forward=20 thanks=20 Olafur & Warren=20= --Apple-Mail=_F4F14D26-376A-4703-987E-C643AFE56C94 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

Dear Colleagues 

The editors of https://datatracker.ietf.org/doc/draft-ietf-dane-smime/&nbs= p;have requested a WGLC, 
the chairs are = satisfied that the document is in good shape. This message starts a = three week WG LC, 
that concludes on Monday = July 25 23:59 UTC (we have extended the
usual 2 weeks because of = the upcoming meeting, travel, etc).

This document is on the Experimental = track, it is a close relative of a prior document from our = group
https://datatracker.ietf.org/doc/draft-ietf-dane-openpgpkey/  which is in AUTH-48 at this point. 
Any discussions on =E2=80=9Clocal part=E2=80=9D other than to = point out a difference between the OPENPGP document and this one = are 
out of scope. 

Any other issues should = be brought forward 

thanks 
  Olafur & = Warren 
= --Apple-Mail=_F4F14D26-376A-4703-987E-C643AFE56C94-- From nobody Sat Jul 9 09:58:09 2016 Return-Path: X-Original-To: dane@ietf.org Delivered-To: dane@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 715C512D1B9 for ; Sat, 9 Jul 2016 09:58:08 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: X-Test-IDTracker: no X-IETF-IDTracker: 6.25.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20160709165808.25496.5402.idtracker@ietfa.amsl.com> Date: Sat, 09 Jul 2016 09:58:08 -0700 From: IETF Secretariat Archived-At: Subject: [dane] Milestones changed for dane WG X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2016 16:58:08 -0000 Changed milestone "Recharter or close down", set due date to October 2016 from January 2016. URL: https://datatracker.ietf.org/wg/dane/charter/ From nobody Sat Jul 9 11:15:45 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D768612D0EF for ; Sat, 9 Jul 2016 11:15:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.001 X-Spam-Level: X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wnqRKElazk4o for ; Sat, 9 Jul 2016 11:15:42 -0700 (PDT) Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F90612D0BF for ; Sat, 9 Jul 2016 11:15:41 -0700 (PDT) Received: (qmail 14881 invoked from network); 9 Jul 2016 18:15:40 -0000 Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 9 Jul 2016 18:15:40 -0000 Date: 9 Jul 2016 18:15:18 -0000 Message-ID: <20160709181518.19778.qmail@ary.lan> From: "John Levine" To: dane@ietf.org In-Reply-To: Organization: X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2016 18:15:44 -0000 >Any other issues should be brought forward Section 3 says: If the local-part contains any non-ASCII characters, it SHOULD be normalized using the Unicode Normalization Form C from [Unicode52]. but section 4 says: Therefor, sending MUAs and MTAs supporting this specification MUST NOT perform any kind of mapping rules based on the email address. Section 3 is wrong -- when RFC5321 says that local parts are opaque, it means it. RFCs 6530 through 6532 deliberately did not provide any advice on canonicalizing UTF-8 local parts, and it's inappropriate to do it here. R's, John From nobody Sat Jul 9 11:24:55 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC3AE12D5F2 for ; Sat, 9 Jul 2016 11:24:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.001 X-Spam-Level: X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MovC6gO8nnyz for ; Sat, 9 Jul 2016 11:24:52 -0700 (PDT) Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD6AA12D5EC for ; Sat, 9 Jul 2016 11:24:51 -0700 (PDT) Received: (qmail 16397 invoked from network); 9 Jul 2016 18:24:50 -0000 Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 9 Jul 2016 18:24:50 -0000 Date: 9 Jul 2016 18:24:28 -0000 Message-ID: <20160709182428.19819.qmail@ary.lan> From: "John Levine" To: dane@ietf.org In-Reply-To: Organization: X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2016 18:24:54 -0000 >Any other issues should be brought forward Also, I see that there's a disclaimer about the semantics of the certificates, but I'm still confused. At this point, all S/MIME certificates are signed by a CA, and MUAs typically put ugly red marks on message with a cert with an unknown CA. I gather the idea here is that the certs can be self-signed, and they're credible in the absence of a CA signature because the domain is asserting something about them via DNSSEC publication. But it never says that, or anything like that. R's, John From nobody Sat Jul 9 11:40:42 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D02DE12D1BE for ; Sat, 9 Jul 2016 11:40:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ho00ZYPuIlQl for ; Sat, 9 Jul 2016 11:40:40 -0700 (PDT) Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4813912D1B8 for ; Sat, 9 Jul 2016 11:40:39 -0700 (PDT) Received: from [10.32.60.34] (142-254-101-201.dsl.dynamic.fusionbroadband.com [142.254.101.201]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id u69IebhB027787 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 9 Jul 2016 11:40:38 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: mail.proper.com: Host 142-254-101-201.dsl.dynamic.fusionbroadband.com [142.254.101.201] claimed to be [10.32.60.34] From: "Paul Hoffman" To: "John Levine" Date: Sat, 09 Jul 2016 11:40:37 -0700 Message-ID: In-Reply-To: <20160709181518.19778.qmail@ary.lan> References: <20160709181518.19778.qmail@ary.lan> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Mailer: MailMate (1.9.4r5234) Archived-At: Cc: dane@ietf.org Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2016 18:40:41 -0000 On 9 Jul 2016, at 11:15, John Levine wrote: > Section 3 is wrong The wording in this draft matches the wording in draft-ietf-dane-openpgpkey that has IETF consensus. Get over it. --Paul Hoffman From nobody Sat Jul 9 11:46:39 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B40E12D1BE for ; Sat, 9 Jul 2016 11:46:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b5i831bWuZ-5 for ; Sat, 9 Jul 2016 11:46:36 -0700 (PDT) Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40AEE12D147 for ; Sat, 9 Jul 2016 11:46:36 -0700 (PDT) Received: from [10.32.60.34] (142-254-101-201.dsl.dynamic.fusionbroadband.com [142.254.101.201]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id u69IkYEE028217 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 9 Jul 2016 11:46:35 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: mail.proper.com: Host 142-254-101-201.dsl.dynamic.fusionbroadband.com [142.254.101.201] claimed to be [10.32.60.34] From: "Paul Hoffman" To: "John Levine" Date: Sat, 09 Jul 2016 11:46:34 -0700 Message-ID: In-Reply-To: <20160709182428.19819.qmail@ary.lan> References: <20160709182428.19819.qmail@ary.lan> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Mailer: MailMate (1.9.4r5234) Archived-At: Cc: dane@ietf.org Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2016 18:46:37 -0000 On 9 Jul 2016, at 11:24, John Levine wrote: >> Any other issues should be brought forward > > Also, I see that there's a disclaimer about the semantics of > the certificates, but I'm still confused. > > At this point, all S/MIME certificates are signed by a CA, and MUAs > typically put ugly red marks on message with a cert with an unknown > CA. > > I gather the idea here is that the certs can be self-signed, and > they're credible in the absence of a CA signature because the domain > is asserting something about them via DNSSEC publication. But it > never says that, or anything like that. I have not done a recent survey of MUAs with S/MIME support and self-signed PKIX certs, but when I did an informal survey in the past, most of them supported a similar interface to the browsers at the time with a layer of "are you really sure you want to do that" followed by "OK, you did that" and it worked. We have no idea how they will change with the introduction of DANE with SMIMEA records, but I would hope it would be even easier. If it turns out that none of the MUAs want that, that will be a really good indication of how this experiment is faring. (Ditto for the parallel features in OpenPGP with the new OPENPGPKEY record.) --Paul Hoffman From nobody Sat Jul 9 13:35:44 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79F8D12D177 for ; Sat, 9 Jul 2016 13:35:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.988 X-Spam-Level: X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ST6FIBTn8vnT for ; Sat, 9 Jul 2016 13:35:41 -0700 (PDT) Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 505F412B035 for ; Sat, 9 Jul 2016 13:35:41 -0700 (PDT) Received: from [192.165.72.17] (unknown [IPv6:2a02:80:3ffc:0:cc8e:2e18:fab4:9ecc]) by mail.frobbit.se (Postfix) with ESMTPSA id 7608A249E1; Sat, 9 Jul 2016 22:35:38 +0200 (CEST) From: "Patrik =?utf-8?b?RsOkbHRzdHLDtm0=?=" To: "Paul Hoffman" Date: Sat, 09 Jul 2016 22:35:37 +0200 Message-ID: <4C6AB4A2-5A25-4FBD-AA85-35B0702BA133@frobbit.se> In-Reply-To: References: <20160709181518.19778.qmail@ary.lan> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_MailMate_8E315166-7B3D-4D60-A9EF-44AFE33E11BD_="; micalg=pgp-sha1; protocol="application/pgp-signature" X-Mailer: MailMate (2.0BETAr6042) Archived-At: Cc: John Levine , dane@ietf.org Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2016 20:35:42 -0000 This is an OpenPGP/MIME signed message (RFC 3156 and 4880). --=_MailMate_8E315166-7B3D-4D60-A9EF-44AFE33E11BD_= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On 9 Jul 2016, at 20:40, Paul Hoffman wrote: > On 9 Jul 2016, at 11:15, John Levine wrote: > >> Section 3 is wrong > > The wording in this draft matches the wording in draft-ietf-dane-openpg= pkey that has IETF consensus. Get over it. In practice, I would be surprised if not matching algorithms used do norm= alize to normalization form c and case folding before doing matching. But, to be honest, I think the correct wording we will never know before = we actually do have implementations, so lets beat this horse to death whe= n we know what people actually have implemented. And, FWIW, I have not implemented it. Just to make it clear. Patrik --=_MailMate_8E315166-7B3D-4D60-A9EF-44AFE33E11BD_= Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAleBYBkACgkQrMabGguI1817LwCcCRxP74tenKJA5OYaRNv1WCNC 9LIAnjZnn8UX6TrYKCTklfFGuI0CAcWF =L6f8 -----END PGP SIGNATURE----- --=_MailMate_8E315166-7B3D-4D60-A9EF-44AFE33E11BD_=-- From nobody Sat Jul 9 16:16:19 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BBEC12D0CB for ; Sat, 9 Jul 2016 16:16:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.701 X-Spam-Level: X-Spam-Status: No, score=-0.701 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6FoHj-_nemSe for ; Sat, 9 Jul 2016 16:16:17 -0700 (PDT) Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B475B12D095 for ; Sat, 9 Jul 2016 16:16:17 -0700 (PDT) Received: from [192.168.123.7] (unknown [75.83.2.34]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id AA780509B5 for ; Sat, 9 Jul 2016 19:16:16 -0400 (EDT) To: dane@ietf.org References: <20160709181518.19778.qmail@ary.lan> From: Sean Leonard Message-ID: Date: Sat, 9 Jul 2016 16:15:38 -0700 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160709181518.19778.qmail@ary.lan> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2016 23:16:18 -0000 On 7/9/2016 11:15 AM, John Levine wrote: >> Any other issues should be brought forward > Section 3 says: > > If the local-part contains any non-ASCII characters, it SHOULD be > normalized using the Unicode Normalization Form C from > [Unicode52]. > > but section 4 says: > > Therefor, sending MUAs and MTAs supporting this > specification MUST NOT perform any kind of mapping rules based on the > email address. > > Section 3 is wrong -- when RFC5321 says that local parts are opaque, > it means it. RFCs 6530 through 6532 deliberately did not provide any > advice on canonicalizing UTF-8 local parts, and it's inappropriate to > do it here. +1 to John's point. Remove the sentence in Section 3. Regards, Sean From nobody Mon Jul 11 06:52:04 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15F0912D1AE for ; Mon, 11 Jul 2016 06:51:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I_XqyYyddnYO for ; Mon, 11 Jul 2016 06:51:57 -0700 (PDT) Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 837BC12D1AF for ; Mon, 11 Jul 2016 06:51:57 -0700 (PDT) Received: by mail-qk0-x22d.google.com with SMTP id p74so58088208qka.0 for ; Mon, 11 Jul 2016 06:51:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=noAyeLY2ur2oIsHRHLmYFckhhj5/Jgiidw/iPBp+PHM=; b=TemU9QP67l34ur4sZTm2X+Af4dQQBBQwwbFPcOTkUVOqr0hAt7u9Bah4ckax9+O6Qz Q3OB7vlac0TNDdFFdZry7lTlGyvHnssFJWjgQbFnk5R+B4DLF/W24OPNTki56p9JLJT+ jwBBueKJ0kh0neR4jIx5zgnt/C0Fj3k5gcEV5TcOt0eIGqHgw19iisK4/2gL7x86zauT SEb+1JB8vIzscHtK1Esaz/xa+vulHPcKQkmYvL04r0+oXqhkqdKs12BNA/JVXY6L8IZC K1qs5alMA/FRk+jJUInY/5jIEoIpOGP72m+PS+lDybPYpIpLgDmtPE1wHiJ0419Ocjjp q9SA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=noAyeLY2ur2oIsHRHLmYFckhhj5/Jgiidw/iPBp+PHM=; b=Hf9SnoIS8cAMHPyYernzRwIVepYnkUKnu5jBBdw2PcEmqFH8ajC6WOTcam2xA2nXLg SYWsPAL2nbc6o/cJtIhEqR43GqloQkXQgasKyn/MYArXRO55rFXXsMuPMkAOhhbYp3QN +4J2D+8eykPjKMtapfUtGasOKAnPi8YXjp7n92jYSUR0Op60aHytGtOoZPWdskHo3ing 8rAgPK3BgovkUZP5bhWinbzhA260DGKXFwGysN7yjtFFO8uTgIAZ5aXuGCGqiERZC+yf rpOHeX05ovtkcAnArkJPbGIr8YDYs+Rdkxlk3QuHDLyGz36n3quwI8HzCOTwltTqCE17 uaGQ== X-Gm-Message-State: ALyK8tKZY0TTexPmAJDzZ1poVz5tQTmPe8cZduW+Fj5rpakr/Lcyb+7a6vzZNC/Fy3mxsCtur+ihD8ktE7ikO7yl X-Received: by 10.55.163.133 with SMTP id m127mr25891237qke.71.1468245116471; Mon, 11 Jul 2016 06:51:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.55.93.71 with HTTP; Mon, 11 Jul 2016 06:51:26 -0700 (PDT) In-Reply-To: References: <20160709181518.19778.qmail@ary.lan> From: Warren Kumari Date: Mon, 11 Jul 2016 09:51:26 -0400 Message-ID: To: Paul Hoffman Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: John Levine , "" Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 13:51:59 -0000 On Sat, Jul 9, 2016 at 2:40 PM, Paul Hoffman wrote: > On 9 Jul 2016, at 11:15, John Levine wrote: > >> Section 3 is wrong > > > The wording in this draft matches the wording in draft-ietf-dane-openpgpkey > that has IETF consensus. Get over it. Yup. Much of the WG (including, I believe, both chairs and the authors of both -smime and openpgp) does not like the consensus in draft-ietf-dane-openpgpkey -- however, this was the consensus, and we really don't need to relitigate it. W > > --Paul Hoffman > > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf From nobody Sun Jul 24 14:07:26 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E613F12D1E7 for ; Sun, 24 Jul 2016 14:07:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C4gKa5jtotoP for ; Sun, 24 Jul 2016 14:07:23 -0700 (PDT) Received: from mail-lf0-x22a.google.com (mail-lf0-x22a.google.com [IPv6:2a00:1450:4010:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0912A12D578 for ; Sun, 24 Jul 2016 14:07:22 -0700 (PDT) Received: by mail-lf0-x22a.google.com with SMTP id l69so116454706lfg.1 for ; Sun, 24 Jul 2016 14:07:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=kSbQJeOy804Jy2Oghnsh7YILA4cJjeQyiSt7DJayrOA=; b=f/imOuz/sHCJXYtuCB0ri0XFd3uUP538N552e1eFJCUcxNc4Ch7Bj7Jgch+a+fl+k0 89YcY2++C0bNHl898cjjzKDoyon+b0WmTl0ADdDPAuw79N1Hdr5bz7YUk63yakH7VfLo KsDslhtc9IWcvo4jr/XHftnthS+xj13+U4GXsr3xTVuxWd6kvYDk5+sm+Kk3J3joOJJi wweK4u+cs0vlDYsHKDscbiodVPELQ+znpTMy41M5bDJgFC4uc945T8liH/F2SPQ3TGK4 Q+E0IYKzvV7bFsIjYxJ5gZTmiQYTjGBKhM14AHJS/ghf+1zikrBzXunEAE9WGWfT+y50 2FqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=kSbQJeOy804Jy2Oghnsh7YILA4cJjeQyiSt7DJayrOA=; b=h7FDIEiMQmY8i/P9BV34yhmNpfvWczN5P9napSJJicoaaPMuME3VHRNUzE7vEtOWzE D6qIKwLOuj/v5GDxzgfDbxeld/AjXrkyyVLp0ryfrU9ctHDvyDkYSjQnhzJNMbTJsmAZ HdyChqorRHY68h6VVDALjyGLIadUZ8j/mPj29hT0+0dmNaTTVPBvagUhbIRpC1kXMb2H EynCa/i47i4yQpvY0pITQZAQXyp65zWyFile1OepIARE5O0/aXbFGQ4Uu0FMfZzV8Vy0 VoZlD5GFRl2u2wIL5svLIcuHtEtvQJVOaBDaI9p5J5vYHVHQZLMeSgIbM6R5LsA6WRgt qm/Q== X-Gm-Message-State: AEkoous9drh1w4he79o/iWSjteE5t/ffqRU071vGkkzj6YqjmyEgorJARHfx3AiQExRTS7AIuiSRQWgrh2Gc3fh5 X-Received: by 10.25.157.146 with SMTP id g140mr5734647lfe.172.1469394441029; Sun, 24 Jul 2016 14:07:21 -0700 (PDT) MIME-Version: 1.0 Received: by 10.114.160.42 with HTTP; Sun, 24 Jul 2016 14:06:51 -0700 (PDT) In-Reply-To: References: From: Warren Kumari Date: Sun, 24 Jul 2016 17:06:51 -0400 Message-ID: To: Olafur Gudmundsson Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: dane WG list Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jul 2016 21:07:25 -0000 Dear Everyone, A reminder that this WGLC closes tomorrow -- so far we have not really seen sufficient feedback on this document. PLEASE review this document and provide comment. I also wanted to make sure people (including the authors) had seen: https://www.ietf.org/mail-archive/web/dane/current/msg08382.html W On Sat, Jul 9, 2016 at 12:53 PM, Olafur Gudmundsson wrote: > > Dear Colleagues > > The editors of https://datatracker.ietf.org/doc/draft-ietf-dane-smime/ ha= ve > requested a WGLC, > the chairs are satisfied that the document is in good shape. This message > starts a three week WG LC, > that concludes on Monday July 25 23:59 UTC (we have extended the > usual 2 weeks because of the upcoming meeting, travel, etc). > > This document is on the Experimental track, it is a close relative of a > prior document from our group > https://datatracker.ietf.org/doc/draft-ietf-dane-openpgpkey/ which is in > AUTH-48 at this point. > Any discussions on =E2=80=9Clocal part=E2=80=9D other than to point out a= difference between > the OPENPGP document and this one are > out of scope. > > Any other issues should be brought forward > > thanks > Olafur & Warren > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane > --=20 I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf From nobody Mon Jul 25 02:32:23 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8828012D63A for ; Mon, 25 Jul 2016 02:32:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7WEXQqopSZuf for ; Mon, 25 Jul 2016 02:32:21 -0700 (PDT) Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09F9612D5A1 for ; Mon, 25 Jul 2016 02:32:20 -0700 (PDT) Received: (qmail 64238 invoked from network); 25 Jul 2016 09:32:19 -0000 Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 25 Jul 2016 09:32:19 -0000 Date: 25 Jul 2016 09:31:57 -0000 Message-ID: <20160725093157.16714.qmail@ary.lan> From: "John Levine" To: dane@ietf.org In-Reply-To: Organization: X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2016 09:32:22 -0000 >A reminder that this WGLC closes tomorrow -- so far we have not really >seen sufficient feedback on this document. PLEASE review this document >and provide comment. My opinion is the same as it's been all along: this draft is harmful to the Internet and should not be published at all, as Experimental or anything else. I lost this argument on the PGP draft and don't expect to win it here, but you asked, so that's the comment. R's, John From nobody Mon Jul 25 05:08:49 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83A3312D0C4 for ; Mon, 25 Jul 2016 05:08:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.488 X-Spam-Level: X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R6X_1uPp2a8h for ; Mon, 25 Jul 2016 05:08:45 -0700 (PDT) Received: from wsget1.nist.gov (wsget1.nist.gov [IPv6:2610:20:6005:13::150]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9892812B043 for ; Mon, 25 Jul 2016 05:08:45 -0700 (PDT) Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.3.301.0; Mon, 25 Jul 2016 08:11:44 -0400 Received: from postmark.nist.gov (129.6.16.94) by WSXGHUB1.xchange.nist.gov (129.6.18.96) with Microsoft SMTP Server (TLS) id 8.3.465.0; Mon, 25 Jul 2016 08:08:43 -0400 Received: from [129.6.140.7] (7-140.antd.nist.gov [129.6.140.7]) by postmark.nist.gov (8.13.8/8.13.1) with ESMTP id u6PC8fNk013838 for ; Mon, 25 Jul 2016 08:08:41 -0400 From: "Rose, Scott" To: dane WG list Date: Mon, 25 Jul 2016 08:08:48 -0400 Message-ID: <39B765CF-462F-4058-A414-F6D931D848B2@nist.gov> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 8bit X-Mailer: MailMate (1.9.4r5234) X-NIST-MailScanner-Information: Archived-At: Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2016 12:08:47 -0000 I have read the document and while not perfect (what is in life?), I support its publication. Scott On 24 Jul 2016, at 17:06, Warren Kumari wrote: > Dear Everyone, > > A reminder that this WGLC closes tomorrow -- so far we have not really > seen sufficient feedback on this document. PLEASE review this document > and provide comment. > > I also wanted to make sure people (including the authors) had seen: > https://www.ietf.org/mail-archive/web/dane/current/msg08382.html > > W > > On Sat, Jul 9, 2016 at 12:53 PM, Olafur Gudmundsson > wrote: >> >> Dear Colleagues >> >> The editors of >> https://datatracker.ietf.org/doc/draft-ietf-dane-smime/ have >> requested a WGLC, >> the chairs are satisfied that the document is in good shape. This >> message >> starts a three week WG LC, >> that concludes on Monday July 25 23:59 UTC (we have extended the >> usual 2 weeks because of the upcoming meeting, travel, etc). >> >> This document is on the Experimental track, it is a close relative of >> a >> prior document from our group >> https://datatracker.ietf.org/doc/draft-ietf-dane-openpgpkey/ which >> is in >> AUTH-48 at this point. >> Any discussions on “local part” other than to point out a >> difference between >> the OPENPGP document and this one are >> out of scope. >> >> Any other issues should be brought forward >> >> thanks >> Olafur & Warren >> >> _______________________________________________ >> dane mailing list >> dane@ietf.org >> https://www.ietf.org/mailman/listinfo/dane >> > > > > -- > I don't think the execution is relevant when it was obviously a bad > idea in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair > of pants. > ---maf > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane ================================== Scott Rose, NIST scottr@nist.gov ph: +1-301-975-8439 Google Voice: +1-571-249-3671 From nobody Mon Jul 25 06:33:28 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF9B412D12E for ; Mon, 25 Jul 2016 06:33:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.287 X-Spam-Level: X-Spam-Status: No, score=-3.287 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wzAlWQHc9a_w for ; Mon, 25 Jul 2016 06:33:25 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C82D12B015 for ; Mon, 25 Jul 2016 06:33:25 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3ryhz61YtPz3SS; Mon, 25 Jul 2016 15:33:22 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1469453602; bh=xJbR4gJjKNZFH2tj2/k6Dg0p8/IPxMjcqFPW9BxVkGs=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=tbYqu7vgxZ3v5+T/q+WigFytS5jCWwF+4kyA8H1OtXtVEdWfBofNJMTpuHpxSTbL5 MJexUq71cVKwslbiRLzHHqdtfhCuUPYhYJc6zbBHQRMFWEL2brAMfFZiEKJaErMS4J rR++VC6iEgWu6uuWjoUr2fgkEDnA6U8lwKw6sFno= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 16e1dLJQPDv3; Mon, 25 Jul 2016 15:33:20 +0200 (CEST) Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 25 Jul 2016 15:33:20 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 3FC01393D69; Mon, 25 Jul 2016 09:33:19 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 3FC01393D69 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 2C9FE415FC87; Mon, 25 Jul 2016 09:33:19 -0400 (EDT) Date: Mon, 25 Jul 2016 09:33:18 -0400 (EDT) From: Paul Wouters To: Warren Kumari In-Reply-To: Message-ID: References: User-Agent: Alpine 2.20 (LRH 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8BIT Archived-At: Cc: dane WG list Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2016 13:33:27 -0000 On Sun, 24 Jul 2016, Warren Kumari wrote: > A reminder that this WGLC closes tomorrow -- so far we have not really > seen sufficient feedback on this document. PLEASE review this document > and provide comment. I have reviewed the document. I think it is ready for IETF LC but it could see a few small changes: It should probably update its reference in the introduction to list soon to be RFC-7929 (openpgpkey) and wait on that doc (in AUTH48 now) to go out first. The SMIMEA resource record has no special TTL requirements. During openpgpkey discussion, it was decided it was better to remove this line. I would think the same applies to smime. During openpgpkey discussion, people insisted on specifying the "experimental goal" of the Experimental RFC. That section is missing in this document. Section 3's title is a bit long. In openpgpkey we used a shorter title. I suggest "Location of the SMIMEA record". The openpgpkey had updated the "tcp only" phrasing to make it more layer agnostic and mentions DNS-COOKIES as a defense and method to allow UDP. You might want to consider using the same approach instead of banning UDP altogether. > I also wanted to make sure people (including the authors) had seen: > https://www.ietf.org/mail-archive/web/dane/current/msg08382.html This has come up in the past when discussing SMIME. One suggestion was to use a different prefix (like _encrypt. and _sign). When this was brought up, the patent status of this was not entirely clear, and there were privacy discussions raised on exposing queries to the purpose of the query. Perhaps the document can state that if the certificate is obtained via SMIMEA, it should be checked whether it is suitable for the task to perform. And that publishers are encouraged to publish SMIMEA records for certificates that allow both signing and encryption. But this latter approach did not have a clear consensus. Paul > W > > On Sat, Jul 9, 2016 at 12:53 PM, Olafur Gudmundsson wrote: >> >> Dear Colleagues >> >> The editors of https://datatracker.ietf.org/doc/draft-ietf-dane-smime/ have >> requested a WGLC, >> the chairs are satisfied that the document is in good shape. This message >> starts a three week WG LC, >> that concludes on Monday July 25 23:59 UTC (we have extended the >> usual 2 weeks because of the upcoming meeting, travel, etc). >> >> This document is on the Experimental track, it is a close relative of a >> prior document from our group >> https://datatracker.ietf.org/doc/draft-ietf-dane-openpgpkey/ which is in >> AUTH-48 at this point. >> Any discussions on “local part” other than to point out a difference between >> the OPENPGP document and this one are >> out of scope. >> >> Any other issues should be brought forward >> >> thanks >> Olafur & Warren >> >> _______________________________________________ >> dane mailing list >> dane@ietf.org >> https://www.ietf.org/mailman/listinfo/dane >> > > > > -- > I don't think the execution is relevant when it was obviously a bad > idea in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair > of pants. > ---maf > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane > From nobody Mon Jul 25 07:02:57 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F86712D87A for ; Mon, 25 Jul 2016 07:02:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.188 X-Spam-Level: X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y4RrlCe517QG for ; Mon, 25 Jul 2016 07:02:50 -0700 (PDT) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9EE312D790 for ; Mon, 25 Jul 2016 07:02:49 -0700 (PDT) Received: from hebrews (192.168.1.152) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 25 Jul 2016 07:08:54 -0700 From: Jim Schaad To: 'Paul Wouters' , 'Warren Kumari' References: In-Reply-To: Date: Mon, 25 Jul 2016 07:02:36 -0700 Message-ID: <032801d1e67d$34d80d90$9e8828b0$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQKO9jUL14/4foXd2RoMMb1DpIWOmgI0XZifAcquQy6ejxVbQA== Content-Language: en-us X-Originating-IP: [192.168.1.152] Archived-At: Cc: 'dane WG list' Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2016 14:02:56 -0000 > -----Original Message----- > From: dane [mailto:dane-bounces@ietf.org] On Behalf Of Paul Wouters > Sent: Monday, July 25, 2016 6:33 AM > To: Warren Kumari > Cc: dane WG list > Subject: Re: [dane] Working group Last call: = draft-ietf-dane-smime-11.txt >=20 > On Sun, 24 Jul 2016, Warren Kumari wrote: >=20 > > A reminder that this WGLC closes tomorrow -- so far we have not = really > > seen sufficient feedback on this document. PLEASE review this = document > > and provide comment. >=20 > I have reviewed the document. I think it is ready for IETF LC but it = could see a > few small changes: >=20 > It should probably update its reference in the introduction to list = soon to be RFC- > 7929 (openpgpkey) and wait on that doc (in AUTH48 now) to go out = first. >=20 > The SMIMEA resource record has no special TTL requirements. >=20 > During openpgpkey discussion, it was decided it was better to remove = this line. I > would think the same applies to smime. >=20 > During openpgpkey discussion, people insisted on specifying the = "experimental > goal" of the Experimental RFC. That section is missing in this = document. >=20 > Section 3's title is a bit long. In openpgpkey we used a shorter = title. I suggest > "Location of the SMIMEA record". >=20 > The openpgpkey had updated the "tcp only" phrasing to make it more = layer > agnostic and mentions DNS-COOKIES as a defense and method to allow = UDP. > You might want to consider using the same approach instead of banning = UDP > altogether. >=20 > > I also wanted to make sure people (including the authors) had seen: > > https://www.ietf.org/mail-archive/web/dane/current/msg08382.html >=20 > This has come up in the past when discussing SMIME. One suggestion was = to use > a different prefix (like _encrypt. and _sign). When this was brought = up, the > patent status of this was not entirely clear, and there were privacy = discussions > raised on exposing queries to the purpose of the query. Perhaps the = document > can state that if the certificate is obtained via SMIMEA, it should be = checked > whether it is suitable for the task to perform. And that publishers = are > encouraged to publish SMIMEA records for certificates that allow both = signing > and encryption. > But this latter approach did not have a clear consensus. This is not the issue that my message was designed to highlight. In = S/MIME it is possible to say which of the message formats and which = content encryption algorithms are supported by a client. This is not = the same as designating if a certificate is being used for encryption or = signing. Jim >=20 > Paul >=20 > > W > > > > On Sat, Jul 9, 2016 at 12:53 PM, Olafur Gudmundsson > wrote: > >> > >> Dear Colleagues > >> > >> The editors of > >> https://datatracker.ietf.org/doc/draft-ietf-dane-smime/ have > >> requested a WGLC, the chairs are satisfied that the document is in > >> good shape. This message starts a three week WG LC, that concludes = on > >> Monday July 25 23:59 UTC (we have extended the usual 2 weeks = because > >> of the upcoming meeting, travel, etc). > >> > >> This document is on the Experimental track, it is a close relative = of > >> a prior document from our group > >> https://datatracker.ietf.org/doc/draft-ietf-dane-openpgpkey/ which > >> is in > >> AUTH-48 at this point. > >> Any discussions on =E2=80=9Clocal part=E2=80=9D other than to point = out a difference > >> between the OPENPGP document and this one are out of scope. > >> > >> Any other issues should be brought forward > >> > >> thanks > >> Olafur & Warren > >> > >> _______________________________________________ > >> dane mailing list > >> dane@ietf.org > >> https://www.ietf.org/mailman/listinfo/dane > >> > > > > > > > > -- > > I don't think the execution is relevant when it was obviously a bad > > idea in the first place. > > This is like putting rabid weasels in your pants, and later = expressing > > regret at having chosen those particular rabid weasels and that pair > > of pants. > > ---maf > > > > _______________________________________________ > > dane mailing list > > dane@ietf.org > > https://www.ietf.org/mailman/listinfo/dane > > >=20 > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane From nobody Mon Jul 25 11:42:35 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17A9612D591 for ; Mon, 25 Jul 2016 11:42:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.588 X-Spam-Level: X-Spam-Status: No, score=-5.588 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sys4.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3kyReDcvHNTc for ; Mon, 25 Jul 2016 11:42:31 -0700 (PDT) Received: from mail.sys4.de (mail.sys4.de [194.126.158.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD81212B042 for ; Mon, 25 Jul 2016 11:42:31 -0700 (PDT) Received: from localhost (echo.sys4.de [127.0.0.1]) by mail.sys4.de (Postfix) with ESMTP id 3ryqqn1m4Qz1LKD for ; Mon, 25 Jul 2016 20:42:29 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sys4.de; s=fk-sys4-de-201501; t=1469472149; bh=+RwnKAm3+w1r7JlA8s3mzMdOtCgd2y4s24qWFKMjjvY=; h=Date:From:To:Subject:References:In-Reply-To; b=EDNsMcFzpEPs2E1Lyf2pyETjai4tMPrEjR0unLDvWbsPXRnYbC/Ix3soizUhmCJrE TRrXYuMn91LYa1/0WWYq9khF+MFV5nYueu9Bcjt3KOBycLEcbz8APK1cyf5Cm54usP zqzhABijNNaqSJEXenGb52douCRaVVPNbCSXMGyzaLOrlDezGEo34+U9LWb49HxqUQ 8cS4SIG9kjpZVWcxK+YqMQr+LvPtDlvvqzcIoaUZ00PRVW1t1XtljSZALefzEJiR6X hj5i8LE47j1coC6mo6CsL3KyAfkrESL4pqc5unFM78grPNUbLMqBpJcSx24OLL2bQT arHjXPy+yLQjg== X-Virus-Scanned: amavisd-new at sys4.de Received: from sys4.de (mail.sys4.de [IPv6:2001:1578:400:111::7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.sys4.de (Postfix) with ESMTPSA id 3ryqqn0JxZz1HKJ for ; Mon, 25 Jul 2016 20:42:29 +0200 (CEST) Date: Mon, 25 Jul 2016 20:42:27 +0200 From: Florian Kirstein To: dane@ietf.org Message-ID: <20160725184227.GA24027@sys4.de> References: <01af01d1d950$a0dfaf00$e29f0d00$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <01af01d1d950$a0dfaf00$e29f0d00$@augustcellars.com> Archived-At: Subject: Re: [dane] draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2016 18:42:34 -0000 Hello, > Since I have never been in the camp of believing that the email matching > problem has been solved Time will tell, but I think we are on a good path. Regarding S/MIME: looks like Mozilla "fixed" it (after some RFC discussions) to case insensitive matching in 2002: https://bugzilla.mozilla.org/show_bug.cgi?id=130692 But regarding your actual concern: > capabilities of an S/MIME client for encryption to be obtained as part of > this query? This is out of the scope of this proposal. Even without DANE you could want to send a mail to someone without having received a signed mail from him before. As well as you can and would and should use DANE key lookup also WHEN replying to a signed mail. > it is possible to put them into a certificate (RFC 4262) but this has > problems when they change (you need to get a new certificate) Still RFC4262 is the RFC to address this problem. Not our key lookup. Of course it would be possible to add some information about that also into the DNS - but that would be a third way to publish this information without any need. Publishing a new cert in DNS isn't a real problem and CAs (if you for some reason want your cert signed) might even offer free resigning if only RFC4262 info is changed in the future. It's good you brought this up but I don't see a real problem here to be solved in the draft... Greetings, Florian -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleissheimer Strasse 26/MG, 80333 Muenchen Sitz der Gesellschaft: Muenchen, Amtsgericht Muenchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein From nobody Mon Jul 25 14:38:21 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44B8F12D640 for ; Mon, 25 Jul 2016 14:38:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.287 X-Spam-Level: X-Spam-Status: No, score=-3.287 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X8liji8TeXww for ; Mon, 25 Jul 2016 14:38:15 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 631D012D0CA for ; Mon, 25 Jul 2016 14:38:14 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3ryvkV1jR0z389; Mon, 25 Jul 2016 23:38:10 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1469482690; bh=ViNZJ5Ftx36oo6+58AeFA/+T4sy4xtrFyc+yoto05TE=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Ruilj/jjoG1aLs4rkHrfwM5GrNVOu9v840mP6Ypqgo4CdklOdk0i8XAx4FZ4DkwZW YCv6EyCb6NQua3JCwfg6Pip0M1vuZ2N7sfvQBD8zSaWSbRfKzvEzj0FyIhOI+7Y4or ZPrS9iMp//wau5MY0yKbHIVuc518O+9NqcbhVLu0= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 2ceArAg7u-qu; Mon, 25 Jul 2016 23:38:07 +0200 (CEST) Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 25 Jul 2016 23:38:07 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 9E4BA484883; Mon, 25 Jul 2016 17:38:05 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 9E4BA484883 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 80085406A906; Mon, 25 Jul 2016 17:38:05 -0400 (EDT) Date: Mon, 25 Jul 2016 17:38:05 -0400 (EDT) From: Paul Wouters To: Jim Schaad In-Reply-To: <032801d1e67d$34d80d90$9e8828b0$@augustcellars.com> Message-ID: References: <032801d1e67d$34d80d90$9e8828b0$@augustcellars.com> User-Agent: Alpine 2.20 (LRH 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8BIT Archived-At: Cc: 'dane WG list' Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2016 21:38:18 -0000 On Mon, 25 Jul 2016, Jim Schaad wrote: > This is not the issue that my message was designed to highlight. In S/MIME it is possible to say which of the message formats and which content encryption algorithms are supported by a client. This is not the same as designating if a certificate is being used for encryption or signing. Oh I see. How is this "possible to say" ? If it is part of the S/MIME certificate, wouldn't it be part of the SMIME record provided that TLSA selector type 0 (full certificate) If there are no commonly shared algorithms, perhaps only this type should be supported? Paul > Jim > >> >> Paul >> >>> W >>> >>> On Sat, Jul 9, 2016 at 12:53 PM, Olafur Gudmundsson >> wrote: >>>> >>>> Dear Colleagues >>>> >>>> The editors of >>>> https://datatracker.ietf.org/doc/draft-ietf-dane-smime/ have >>>> requested a WGLC, the chairs are satisfied that the document is in >>>> good shape. This message starts a three week WG LC, that concludes on >>>> Monday July 25 23:59 UTC (we have extended the usual 2 weeks because >>>> of the upcoming meeting, travel, etc). >>>> >>>> This document is on the Experimental track, it is a close relative of >>>> a prior document from our group >>>> https://datatracker.ietf.org/doc/draft-ietf-dane-openpgpkey/ which >>>> is in >>>> AUTH-48 at this point. >>>> Any discussions on “local part” other than to point out a difference >>>> between the OPENPGP document and this one are out of scope. >>>> >>>> Any other issues should be brought forward >>>> >>>> thanks >>>> Olafur & Warren >>>> >>>> _______________________________________________ >>>> dane mailing list >>>> dane@ietf.org >>>> https://www.ietf.org/mailman/listinfo/dane >>>> >>> >>> >>> >>> -- >>> I don't think the execution is relevant when it was obviously a bad >>> idea in the first place. >>> This is like putting rabid weasels in your pants, and later expressing >>> regret at having chosen those particular rabid weasels and that pair >>> of pants. >>> ---maf >>> >>> _______________________________________________ >>> dane mailing list >>> dane@ietf.org >>> https://www.ietf.org/mailman/listinfo/dane >>> >> >> _______________________________________________ >> dane mailing list >> dane@ietf.org >> https://www.ietf.org/mailman/listinfo/dane > From nobody Sun Jul 31 18:06:20 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A4A912B02A for ; Sun, 31 Jul 2016 18:06:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C8965S4U5jRN for ; Sun, 31 Jul 2016 18:06:18 -0700 (PDT) Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC2B3128874 for ; Sun, 31 Jul 2016 18:06:17 -0700 (PDT) Received: from [10.32.60.36] (50-1-98-193.dsl.dynamic.fusionbroadband.com [50.1.98.193]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id u7116DUs065262 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 31 Jul 2016 18:06:16 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: mail.proper.com: Host 50-1-98-193.dsl.dynamic.fusionbroadband.com [50.1.98.193] claimed to be [10.32.60.36] From: "Paul Hoffman" To: "Paul Wouters" Date: Sun, 31 Jul 2016 18:06:13 -0700 Message-ID: <4EC937C3-CC19-4E4E-BB3B-A8B9D46739AE@vpnc.org> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Mailer: MailMate (1.9.4r5234) Archived-At: Cc: dane WG list Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Aug 2016 01:06:19 -0000 On 25 Jul 2016, at 6:33, Paul Wouters wrote: > I have reviewed the document. I think it is ready for IETF LC but it > could see a few small changes: > > It should probably update its reference in the introduction to list > soon to be RFC-7929 (openpgpkey) and wait on that doc (in AUTH48 now) > to go out first. There is no need for that. The IESG can correlate them just fine. > The SMIMEA resource record has no special TTL requirements. > > During openpgpkey discussion, it was decided it was better to remove > this line. I would think the same applies to smime. Sorry, I missed that in my review of the openpgpkey document. I'll remove it for the next draft. > During openpgpkey discussion, people insisted on specifying the > "experimental goal" of the Experimental RFC. That section is missing > in this document. Added. > Section 3's title is a bit long. In openpgpkey we used a shorter > title. I suggest "Location of the SMIMEA record". Done. > The openpgpkey had updated the "tcp only" phrasing to make it more > layer agnostic and mentions DNS-COOKIES as a defense and method to > allow UDP. You might want to consider using the same approach instead > of banning UDP altogether. Done. >> I also wanted to make sure people (including the authors) had seen: >> https://www.ietf.org/mail-archive/web/dane/current/msg08382.html > > This has come up in the past when discussing SMIME. One suggestion was > to use a different prefix (like _encrypt. and _sign). When this was > brought up, the patent status of this was not entirely clear, and > there > were privacy discussions raised on exposing queries to the purpose of > the query. Perhaps the document can state that if the certificate is > obtained via SMIMEA, it should be checked whether it is suitable for > the task to perform. And that publishers are encouraged to publish > SMIMEA records for certificates that allow both signing and > encryption. > But this latter approach did not have a clear consensus. See the following message. --Paul Hoffman From nobody Sun Jul 31 18:08:41 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C3A112D0C6 for ; Sun, 31 Jul 2016 18:08:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dgomt3IDDd0z for ; Sun, 31 Jul 2016 18:08:38 -0700 (PDT) Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D2F512D0C4 for ; Sun, 31 Jul 2016 18:08:38 -0700 (PDT) Received: from [10.32.60.36] (50-1-98-193.dsl.dynamic.fusionbroadband.com [50.1.98.193]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id u7118BXc065311 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 31 Jul 2016 18:08:13 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: mail.proper.com: Host 50-1-98-193.dsl.dynamic.fusionbroadband.com [50.1.98.193] claimed to be [10.32.60.36] From: "Paul Hoffman" To: "Jim Schaad" Date: Sun, 31 Jul 2016 18:08:11 -0700 Message-ID: <82DB30B8-FA78-4B35-AE4B-CC6AC984715E@vpnc.org> In-Reply-To: <032801d1e67d$34d80d90$9e8828b0$@augustcellars.com> References: <032801d1e67d$34d80d90$9e8828b0$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Mailer: MailMate (1.9.4r5234) Archived-At: Cc: dane WG list Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Aug 2016 01:08:39 -0000 On 25 Jul 2016, at 7:02, Jim Schaad wrote: >>> I also wanted to make sure people (including the authors) had seen: >>> https://www.ietf.org/mail-archive/web/dane/current/msg08382.html >> >> This has come up in the past when discussing SMIME. One suggestion >> was to use >> a different prefix (like _encrypt. and _sign). When this was brought >> up, the >> patent status of this was not entirely clear, and there were privacy >> discussions >> raised on exposing queries to the purpose of the query. Perhaps the >> document >> can state that if the certificate is obtained via SMIMEA, it should >> be checked >> whether it is suitable for the task to perform. And that publishers >> are >> encouraged to publish SMIMEA records for certificates that allow both >> signing >> and encryption. >> But this latter approach did not have a clear consensus. > > This is not the issue that my message was designed to highlight. In > S/MIME it is possible to say which of the message formats and which > content encryption algorithms are supported by a client. This is not > the same as designating if a certificate is being used for encryption > or signing. We will add a mention of RFC 4262 to the draft. --Paul Hoffman From nobody Sun Jul 31 23:14:52 2016 Return-Path: X-Original-To: dane@ietf.org Delivered-To: dane@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A1EB312D12D; Sun, 31 Jul 2016 23:14:49 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: X-Test-IDTracker: no X-IETF-IDTracker: 6.29.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20160801061449.7893.37.idtracker@ietfa.amsl.com> Date: Sun, 31 Jul 2016 23:14:49 -0700 Archived-At: Cc: dane@ietf.org Subject: [dane] I-D Action: draft-ietf-dane-smime-12.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Aug 2016 06:14:49 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the DNS-based Authentication of Named Entities of the IETF. Title : Using Secure DNS to Associate Certificates with Domain Names For S/MIME Authors : Paul Hoffman Jakob Schlyter Filename : draft-ietf-dane-smime-12.txt Pages : 11 Date : 2016-07-31 Abstract: This document describes how to use secure DNS to associate an S/MIME user's certificate with the intended domain name, similar to the way that DANE (RFC 6698) does for TLS. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dane-smime/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-dane-smime-12 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dane-smime-12 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/