From nobody Mon Aug 1 07:43:03 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8C3412DB0C for ; Mon, 1 Aug 2016 07:42:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RPe_EJDm_dY7 for ; Mon, 1 Aug 2016 07:42:57 -0700 (PDT) Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7906F12DB26 for ; Mon, 1 Aug 2016 07:42:29 -0700 (PDT) Received: from [10.32.60.129] (50-1-98-193.dsl.dynamic.fusionbroadband.com [50.1.98.193]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id u71EgSnd002187 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 1 Aug 2016 07:42:28 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: mail.proper.com: Host 50-1-98-193.dsl.dynamic.fusionbroadband.com [50.1.98.193] claimed to be [10.32.60.129] From: "Paul Hoffman" To: dane@ietf.org Date: Mon, 01 Aug 2016 07:42:28 -0700 Message-ID: <8805FE98-EBD1-44C9-9335-B4E7ACD8D3A6@vpnc.org> In-Reply-To: <20160801061449.7893.37.idtracker@ietfa.amsl.com> References: <20160801061449.7893.37.idtracker@ietfa.amsl.com> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Mailer: MailMate (1.9.4r5234) Archived-At: Subject: Re: [dane] I-D Action: draft-ietf-dane-smime-12.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Aug 2016 14:43:00 -0000 Jakob and I think this addresses all the actionable comments we got in WG Last Call. --Paul Hoffman On 31 Jul 2016, at 23:14, internet-drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the DNS-based Authentication of Named > Entities of the IETF. > > Title : Using Secure DNS to Associate Certificates > with Domain Names For S/MIME > Authors : Paul Hoffman > Jakob Schlyter > Filename : draft-ietf-dane-smime-12.txt > Pages : 11 > Date : 2016-07-31 > > Abstract: > This document describes how to use secure DNS to associate an > S/MIME > user's certificate with the intended domain name, similar to the > way > that DANE (RFC 6698) does for TLS. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dane-smime/ > > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-ietf-dane-smime-12 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-dane-smime-12 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane From nobody Mon Aug 1 09:17:41 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBA5A12D147 for ; Mon, 1 Aug 2016 09:17:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.287 X-Spam-Level: X-Spam-Status: No, score=-3.287 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YBq0bA6Gj72W for ; Mon, 1 Aug 2016 09:17:38 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA7D112D0C7 for ; Mon, 1 Aug 2016 09:17:38 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3s34HL1bzWz3C0; Mon, 1 Aug 2016 18:17:34 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1470068254; bh=F5WEdZQvD0kdOdr7O5oH66ioCTNbxRH1LfGqW9DC2q8=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=TI1Q8d2aa0SbYYvcl+rzK88/LOrOAm/Ht/2Se0ih8WRCR7UatjHR++hW4sIZt5utO DVzioqtopzhvwmY63Y31BnGupgDSEL5Yf2Bm0PQmZ6ZVx0ll5ewgty7jwmCWSCbGbA VvX+5m1MVenxJGHTAPOjaoyKM/oERS2EOfGATLtY= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id zGWwkO9Y0wsn; Mon, 1 Aug 2016 18:17:33 +0200 (CEST) Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 1 Aug 2016 18:17:32 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 00449393BF7; Mon, 1 Aug 2016 12:17:31 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 00449393BF7 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id E2090406A90E; Mon, 1 Aug 2016 12:17:31 -0400 (EDT) Date: Mon, 1 Aug 2016 12:17:31 -0400 (EDT) From: Paul Wouters To: Paul Hoffman In-Reply-To: <8805FE98-EBD1-44C9-9335-B4E7ACD8D3A6@vpnc.org> Message-ID: References: <20160801061449.7893.37.idtracker@ietfa.amsl.com> <8805FE98-EBD1-44C9-9335-B4E7ACD8D3A6@vpnc.org> User-Agent: Alpine 2.20 (LRH 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Cc: dane@ietf.org Subject: Re: [dane] I-D Action: draft-ietf-dane-smime-12.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Aug 2016 16:17:40 -0000 On Mon, 1 Aug 2016, Paul Hoffman wrote: > Jakob and I think this addresses all the actionable comments we got in WG > Last Call. You added: 9.1. Response Size To prevent amplification attacks, an Authoritative DNS server MAY wish to prevent returning SMIMEA records over UDP unless the source IP address has been confirmed with [RFC7873]. Such servers MUST NOT return REFUSED, but answer the query with an empty answer section and the truncation flag set ("TC=1"). I do not find this text very clear. I propose: To prevent amplification attacks, an Authoritative DNS server MAY wish to prevent returning SMIMEA records over UDP unless the source IP address has been confirmed with [RFC7873]. If a query is received via UDP without source IP address verification, the server MUST NOT return REFUSED, but answer the query with an empty answer section and the truncation flag set ("TC=1"). All other issues I raised were resolved with this updated draft. Paul From nobody Mon Aug 1 10:53:36 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE03A12DA21 for ; Mon, 1 Aug 2016 10:53:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.188 X-Spam-Level: X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iL8ybaXFuLyv for ; Mon, 1 Aug 2016 10:53:33 -0700 (PDT) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 463FB12DA02 for ; Mon, 1 Aug 2016 10:53:33 -0700 (PDT) Received: from hebrews (24.21.96.37) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 1 Aug 2016 10:59:42 -0700 From: Jim Schaad To: 'Paul Hoffman' References: <032801d1e67d$34d80d90$9e8828b0$@augustcellars.com> <82DB30B8-FA78-4B35-AE4B-CC6AC984715E@vpnc.org> In-Reply-To: <82DB30B8-FA78-4B35-AE4B-CC6AC984715E@vpnc.org> Date: Mon, 1 Aug 2016 10:53:29 -0700 Message-ID: <01e501d1ec1d$9d8bb300$d8a31900$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQKO9jUL14/4foXd2RoMMb1DpIWOmgI0XZifAcquQy4B8k1y1QE+dBxjnoDQJvA= Content-Language: en-us X-Originating-IP: [24.21.96.37] Archived-At: Cc: 'dane WG list' Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Aug 2016 17:53:35 -0000 A more complete statement might have been nicer, but I will assume that anybody implementing this knows about S/MIME capabilities. What is there is adequate to address my comment. Jim > -----Original Message----- > From: Paul Hoffman [mailto:paul.hoffman@vpnc.org] > Sent: Sunday, July 31, 2016 6:08 PM > To: Jim Schaad > Cc: dane WG list > Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt > > On 25 Jul 2016, at 7:02, Jim Schaad wrote: > > >>> I also wanted to make sure people (including the authors) had seen: > >>> https://www.ietf.org/mail-archive/web/dane/current/msg08382.html > >> > >> This has come up in the past when discussing SMIME. One suggestion > >> was to use a different prefix (like _encrypt. and _sign). When this > >> was brought up, the patent status of this was not entirely clear, and > >> there were privacy discussions raised on exposing queries to the > >> purpose of the query. Perhaps the document can state that if the > >> certificate is obtained via SMIMEA, it should be checked whether it > >> is suitable for the task to perform. And that publishers are > >> encouraged to publish SMIMEA records for certificates that allow both > >> signing and encryption. > >> But this latter approach did not have a clear consensus. > > > > This is not the issue that my message was designed to highlight. In > > S/MIME it is possible to say which of the message formats and which > > content encryption algorithms are supported by a client. This is not > > the same as designating if a certificate is being used for encryption > > or signing. > > We will add a mention of RFC 4262 to the draft. > > --Paul Hoffman From nobody Mon Aug 1 11:16:08 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EF7412DD33 for ; Mon, 1 Aug 2016 11:16:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cCEKUmsh6_-U for ; Mon, 1 Aug 2016 11:16:06 -0700 (PDT) Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B72D012D520 for ; Mon, 1 Aug 2016 11:16:06 -0700 (PDT) Received: from [10.32.60.129] (50-1-98-193.dsl.dynamic.fusionbroadband.com [50.1.98.193]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id u71IG02m017530 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 1 Aug 2016 11:16:02 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: mail.proper.com: Host 50-1-98-193.dsl.dynamic.fusionbroadband.com [50.1.98.193] claimed to be [10.32.60.129] From: "Paul Hoffman" To: "Jim Schaad" Date: Mon, 01 Aug 2016 11:16:00 -0700 Message-ID: In-Reply-To: <01e501d1ec1d$9d8bb300$d8a31900$@augustcellars.com> References: <032801d1e67d$34d80d90$9e8828b0$@augustcellars.com> <82DB30B8-FA78-4B35-AE4B-CC6AC984715E@vpnc.org> <01e501d1ec1d$9d8bb300$d8a31900$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Mailer: MailMate (1.9.4r5234) Archived-At: Cc: dane WG list Subject: Re: [dane] Working group Last call: draft-ietf-dane-smime-11.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Aug 2016 18:16:07 -0000 On 1 Aug 2016, at 10:53, Jim Schaad wrote: > A more complete statement might have been nicer, but I will assume > that > anybody implementing this knows about S/MIME capabilities. And if they don't know about 4642, nothing we say here is going to help them get it right. > What is there is adequate to address my comment. Great, thanks. --Paul Hoffman From nobody Mon Aug 1 11:17:12 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E5C012DD35 for ; Mon, 1 Aug 2016 11:17:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pVYVZVsJ9cSj for ; Mon, 1 Aug 2016 11:17:09 -0700 (PDT) Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1217012D520 for ; Mon, 1 Aug 2016 11:17:09 -0700 (PDT) Received: from [10.32.60.129] (50-1-98-193.dsl.dynamic.fusionbroadband.com [50.1.98.193]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id u71IH7Ur017789 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 1 Aug 2016 11:17:08 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: mail.proper.com: Host 50-1-98-193.dsl.dynamic.fusionbroadband.com [50.1.98.193] claimed to be [10.32.60.129] From: "Paul Hoffman" To: "Paul Wouters" Date: Mon, 01 Aug 2016 11:17:07 -0700 Message-ID: In-Reply-To: References: <20160801061449.7893.37.idtracker@ietfa.amsl.com> <8805FE98-EBD1-44C9-9335-B4E7ACD8D3A6@vpnc.org> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Mailer: MailMate (1.9.4r5234) Archived-At: Cc: dane@ietf.org Subject: Re: [dane] I-D Action: draft-ietf-dane-smime-12.txt X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Aug 2016 18:17:10 -0000 On 1 Aug 2016, at 9:17, Paul Wouters wrote: > On Mon, 1 Aug 2016, Paul Hoffman wrote: > >> Jakob and I think this addresses all the actionable comments we got >> in WG Last Call. > > You added: > > 9.1. Response Size > > To prevent amplification attacks, an Authoritative DNS server > MAY > wish to prevent returning SMIMEA records over UDP unless the > source > IP address has been confirmed with [RFC7873]. Such servers > MUST NOT > return REFUSED, but answer the query with an empty answer > section and > the truncation flag set ("TC=1"). > > > I do not find this text very clear. I propose: > > To prevent amplification attacks, an Authoritative DNS server > MAY > wish to prevent returning SMIMEA records over UDP unless the > source > IP address has been confirmed with [RFC7873]. If a query is > received > via UDP without source IP address > verification, the server MUST NOT > return REFUSED, but answer the query with an empty answer > section and > the truncation flag set ("TC=1"). This seems fine; I'll queue it for the next draft after IETF Last Call. > All other issues I raised were resolved with this updated draft. Great, thanks. --Paul Hoffman From nobody Fri Aug 5 10:46:33 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD34812D952; Fri, 5 Aug 2016 10:46:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.889 X-Spam-Level: X-Spam-Status: No, score=-103.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id glgVFfrp7P9T; Fri, 5 Aug 2016 10:46:30 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1383112D955; Fri, 5 Aug 2016 10:46:30 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id 0BD68B81144; Fri, 5 Aug 2016 10:46:30 -0700 (PDT) To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org X-PHP-Originating-Script: 1005:ams_util_lib.php From: rfc-editor@rfc-editor.org Message-Id: <20160805174630.0BD68B81144@rfc-editor.org> Date: Fri, 5 Aug 2016 10:46:30 -0700 (PDT) Archived-At: Cc: drafts-update-ref@iana.org, dane@ietf.org, rfc-editor@rfc-editor.org Subject: [dane] RFC 7929 on DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Aug 2016 17:46:32 -0000 A new Request for Comments is now available in online RFC libraries. RFC 7929 Title: DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP Author: P. Wouters Status: Experimental Stream: IETF Date: August 2016 Mailbox: pwouters@redhat.com Pages: 20 Characters: 44695 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-ietf-dane-openpgpkey-12.txt URL: https://www.rfc-editor.org/info/rfc7929 DOI: http://dx.doi.org/10.17487/RFC7929 OpenPGP is a message format for email (and file) encryption that lacks a standardized lookup mechanism to securely obtain OpenPGP public keys. DNS-Based Authentication of Named Entities (DANE) is a method for publishing public keys in DNS. This document specifies a DANE method for publishing and locating OpenPGP public keys in DNS for a specific email address using a new OPENPGPKEY DNS resource record. Security is provided via Secure DNS, however the OPENPGPKEY record is not a replacement for verification of authenticity via the "web of trust" or manual verification. The OPENPGPKEY record can be used to encrypt an email that would otherwise have to be sent unencrypted. This document is a product of the DNS-based Authentication of Named Entities Working Group of the IETF. EXPERIMENTAL: This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see https://www.ietf.org/mailman/listinfo/ietf-announce https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see https://www.rfc-editor.org/search For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-editor@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC From nobody Sat Aug 6 09:33:25 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2B6012D51B for ; Sat, 6 Aug 2016 09:33:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0vqE1mwnH0Wi for ; Sat, 6 Aug 2016 09:33:22 -0700 (PDT) Received: from smtp76.iad3a.emailsrvr.com (smtp76.iad3a.emailsrvr.com [173.203.187.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32CFD12B025 for ; Sat, 6 Aug 2016 09:33:22 -0700 (PDT) Received: from smtp26.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp26.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id CF54FC01A0 for ; Sat, 6 Aug 2016 12:33:09 -0400 (EDT) X-Auth-ID: ogud@ogud.com Received: by smtp26.relay.iad3a.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id B4858C0189 for ; Sat, 6 Aug 2016 12:33:09 -0400 (EDT) X-Sender-Id: ogud@ogud.com Received: from [10.20.30.43] (pool-173-66-168-84.washdc.fios.verizon.net [173.66.168.84]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:587 (trex/5.7.1); Sat, 06 Aug 2016 12:33:09 -0400 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Olafur Gudmundsson In-Reply-To: <20160805174630.0BD68B81144@rfc-editor.org> Date: Sat, 6 Aug 2016 12:33:09 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20160805174630.0BD68B81144@rfc-editor.org> To: dane WG list X-Mailer: Apple Mail (2.3124) Archived-At: Subject: Re: [dane] RFC 7929 on DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2016 16:33:24 -0000 The chairs what to thank Paul for his hard work in getting this=20 RFC published.=20 In my long carrier as WG chair/document cat herder this was the one of most difficult ones.=20 Olafur > On Aug 5, 2016, at 1:46 PM, rfc-editor@rfc-editor.org wrote: >=20 > A new Request for Comments is now available in online RFC libraries. >=20 >=20 > RFC 7929 >=20 > Title: DNS-Based Authentication of Named Entities=20 > (DANE) Bindings for OpenPGP=20 > Author: P. Wouters > Status: Experimental > Stream: IETF > Date: August 2016 > Mailbox: pwouters@redhat.com > Pages: 20 > Characters: 44695 > Updates/Obsoletes/SeeAlso: None >=20 > I-D Tag: draft-ietf-dane-openpgpkey-12.txt >=20 > URL: https://www.rfc-editor.org/info/rfc7929 >=20 > DOI: http://dx.doi.org/10.17487/RFC7929 >=20 > OpenPGP is a message format for email (and file) encryption that > lacks a standardized lookup mechanism to securely obtain OpenPGP > public keys. DNS-Based Authentication of Named Entities (DANE) is a > method for publishing public keys in DNS. This document specifies a > DANE method for publishing and locating OpenPGP public keys in DNS > for a specific email address using a new OPENPGPKEY DNS resource > record. Security is provided via Secure DNS, however the OPENPGPKEY > record is not a replacement for verification of authenticity via the > "web of trust" or manual verification. The OPENPGPKEY record can be > used to encrypt an email that would otherwise have to be sent > unencrypted. >=20 > This document is a product of the DNS-based Authentication of Named = Entities Working Group of the IETF. >=20 >=20 > EXPERIMENTAL: This memo defines an Experimental Protocol for the > Internet community. It does not specify an Internet standard of any > kind. Discussion and suggestions for improvement are requested. > Distribution of this memo is unlimited. >=20 > This announcement is sent to the IETF-Announce and rfc-dist lists. > To subscribe or unsubscribe, see > https://www.ietf.org/mailman/listinfo/ietf-announce > https://mailman.rfc-editor.org/mailman/listinfo/rfc-dist >=20 > For searching the RFC series, see https://www.rfc-editor.org/search > For downloading RFCs, see https://www.rfc-editor.org/retrieve/bulk >=20 > Requests for special distribution should be addressed to either the > author of the RFC in question, or to rfc-editor@rfc-editor.org. = Unless > specifically noted otherwise on the RFC itself, all RFCs are for > unlimited distribution. >=20 >=20 > The RFC Editor Team > Association Management Solutions, LLC >=20 >=20 > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane From nobody Sun Aug 7 21:52:23 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBA2012D56C for ; Sun, 7 Aug 2016 21:52:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.849 X-Spam-Level: X-Spam-Status: No, score=-103.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.247, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aN3xg28mocza for ; Sun, 7 Aug 2016 21:52:20 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9809126579 for ; Sun, 7 Aug 2016 21:52:20 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id B8D73B80DB5; Sun, 7 Aug 2016 21:52:20 -0700 (PDT) To: pwouters@redhat.com, stephen.farrell@cs.tcd.ie, Kathleen.Moriarty.ietf@gmail.com, warren@kumari.net, ogud@ogud.com X-PHP-Originating-Script: 30:errata_mail_lib.php From: RFC Errata System Message-Id: <20160808045220.B8D73B80DB5@rfc-editor.org> Date: Sun, 7 Aug 2016 21:52:20 -0700 (PDT) Archived-At: Cc: rfc-editor@rfc-editor.org, james@manger.com.au, dane@ietf.org Subject: [dane] [Editorial Errata Reported] RFC7929 (4768) X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2016 04:52:22 -0000 The following errata report has been submitted for RFC7929, "DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=7929&eid=4768 -------------------------------------- Type: Editorial Reported by: James Manger Section: 5.3. Original Text ------------- For example, if the OPENPGPKEY RR query for hugh@example.com (8d57[...]b7._openpgpkey.example.com) yields a CNAME to 8d57[...]b7._openpgpkey.example.net, and an OPENPGPKEY RR for 8d57[...]b7._openpgpkey.example.net exists, Corrected Text -------------- For example, if the OPENPGPKEY RR query for hugh@example.com (c93f[...]d6._openpgpkey.example.com) yields a CNAME to c93f[...]d6._openpgpkey.example.net, and an OPENPGPKEY RR for c93f[...]d6._openpgpkey.example.net exists, Notes ----- The example hash 8d57[...]b7 is wrong. It has been calculated with the wrong hash algorithm: SHA-224, instead of SHA-256. The correct hash is c93f[...]d6, which is shown in the example in section 3. Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party (IESG) can log in to change the status and edit the report, if necessary. -------------------------------------- RFC7929 (draft-ietf-dane-openpgpkey-12) -------------------------------------- Title : DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP Publication Date : August 2016 Author(s) : P. Wouters Category : EXPERIMENTAL Source : DNS-based Authentication of Named Entities Area : Security Stream : IETF Verifying Party : IESG From nobody Mon Aug 8 07:08:04 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A24B126D74 for ; Mon, 8 Aug 2016 07:08:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.247 X-Spam-Level: X-Spam-Status: No, score=-3.247 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-1.247] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NR3Onrv7U9P3 for ; Mon, 8 Aug 2016 07:07:59 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F32412D839 for ; Mon, 8 Aug 2016 07:07:59 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3s7K4X5SQQz3nt; Mon, 8 Aug 2016 16:07:56 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1470665276; bh=zrv8nUt7d2UW0A1dNcCXMrFRU9fBaH6Eyu0ZcHTQFQ8=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=spuAFNtnUbHIe5mWOyN2gLTynvhlEv8btItW+XOcd4b1Gd+/UjZo0cEsuc1xtoLgR u5NgTULMa2hQfu7SaOIXTMYviV4OGyovkjOkxrXnmVY9XCHtHb838b45GlK+vNad4B fIKi+SnQ3IMvqsuX6W7vJ0JrvqFRX7iUyXQN0z3c= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id ReYqB_9FWsNn; Mon, 8 Aug 2016 16:07:55 +0200 (CEST) Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 8 Aug 2016 16:07:55 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 5E97F352954; Mon, 8 Aug 2016 10:07:44 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 5E97F352954 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 4848D406758F; Mon, 8 Aug 2016 10:07:44 -0400 (EDT) Date: Mon, 8 Aug 2016 10:07:44 -0400 (EDT) From: Paul Wouters To: RFC Errata System In-Reply-To: <20160808045220.B8D73B80DB5@rfc-editor.org> Message-ID: References: <20160808045220.B8D73B80DB5@rfc-editor.org> User-Agent: Alpine 2.20 (LRH 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Cc: dane@ietf.org, james@manger.com.au, Kathleen.Moriarty.ietf@gmail.com, pwouters@redhat.com Subject: Re: [dane] [Editorial Errata Reported] RFC7929 (4768) X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2016 14:08:03 -0000 On Sun, 7 Aug 2016, RFC Errata System wrote: > The following errata report has been submitted for RFC7929, > "DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP". > > -------------------------------------- > You may review the report below and at: > http://www.rfc-editor.org/errata_search.php?rfc=7929&eid=4768 > > -------------------------------------- > Type: Editorial > Reported by: James Manger > > Section: 5.3. > > Original Text > ------------- > For example, if the OPENPGPKEY RR query for hugh@example.com > (8d57[...]b7._openpgpkey.example.com) yields a CNAME to > 8d57[...]b7._openpgpkey.example.net, and an OPENPGPKEY RR for > 8d57[...]b7._openpgpkey.example.net exists, > > Corrected Text > -------------- > For example, if the OPENPGPKEY RR query for hugh@example.com > (c93f[...]d6._openpgpkey.example.com) yields a CNAME to > c93f[...]d6._openpgpkey.example.net, and an OPENPGPKEY RR for > c93f[...]d6._openpgpkey.example.net exists, > > Notes > ----- > The example hash 8d57[...]b7 is wrong. It has been calculated with the wrong hash algorithm: SHA-224, instead of SHA-256. The correct hash is c93f[...]d6, which is shown in the example in section 3. > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party (IESG) > can log in to change the status and edit the report, if necessary. The errata is correct :/ Paul From nobody Mon Aug 8 07:23:17 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5017E12D0D3; Mon, 8 Aug 2016 07:23:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.849 X-Spam-Level: X-Spam-Status: No, score=-103.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.247, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HaGlTr4Kjcpy; Mon, 8 Aug 2016 07:23:07 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D491612B02E; Mon, 8 Aug 2016 07:23:06 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id CB1BCB80D92; Mon, 8 Aug 2016 07:23:06 -0700 (PDT) To: james@manger.com.au, pwouters@redhat.com X-PHP-Originating-Script: 30:errata_mail_lib.php From: RFC Errata System Message-Id: <20160808142306.CB1BCB80D92@rfc-editor.org> Date: Mon, 8 Aug 2016 07:23:06 -0700 (PDT) Archived-At: Cc: rfc-editor@rfc-editor.org, dane@ietf.org, iesg@ietf.org Subject: [dane] [Errata Verified] RFC7929 (4768) X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2016 14:23:09 -0000 The following errata report has been verified for RFC7929, "DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=7929&eid=4768 -------------------------------------- Status: Verified Type: Editorial Reported by: James Manger Date Reported: 2016-08-08 Verified by: Stephen Farrell (IESG) Section: 5.3. Original Text ------------- For example, if the OPENPGPKEY RR query for hugh@example.com (8d57[...]b7._openpgpkey.example.com) yields a CNAME to 8d57[...]b7._openpgpkey.example.net, and an OPENPGPKEY RR for 8d57[...]b7._openpgpkey.example.net exists, Corrected Text -------------- For example, if the OPENPGPKEY RR query for hugh@example.com (c93f[...]d6._openpgpkey.example.com) yields a CNAME to c93f[...]d6._openpgpkey.example.net, and an OPENPGPKEY RR for c93f[...]d6._openpgpkey.example.net exists, Notes ----- The example hash 8d57[...]b7 is wrong. It has been calculated with the wrong hash algorithm: SHA-224, instead of SHA-256. The correct hash is c93f[...]d6, which is shown in the example in section 3. -------------------------------------- RFC7929 (draft-ietf-dane-openpgpkey-12) -------------------------------------- Title : DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP Publication Date : August 2016 Author(s) : P. Wouters Category : EXPERIMENTAL Source : DNS-based Authentication of Named Entities Area : Security Stream : IETF Verifying Party : IESG From nobody Mon Aug 8 07:23:29 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3AC012D5DB for ; Mon, 8 Aug 2016 07:23:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.548 X-Spam-Level: X-Spam-Status: No, score=-5.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FmRHz1KQGeVf for ; Mon, 8 Aug 2016 07:23:22 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6330112D08D for ; Mon, 8 Aug 2016 07:23:21 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 145ABBEE0; Mon, 8 Aug 2016 15:23:20 +0100 (IST) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HkDWXcpisfjw; Mon, 8 Aug 2016 15:23:19 +0100 (IST) Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 31640BEDF; Mon, 8 Aug 2016 15:23:19 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1470666199; bh=M/PdP92SEoL4USSTnCScjlAjyB/iu12gTZFXzdG5u3g=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=kb8yslb217fPtYdyyE786t+sdjAoIXqIGUFds9btLAX16CfUBG0a9rBPgjJaM8joL arlAzvqg0YR0YBvoYzaOfMJnVx+OPuAWsW5zx1tK2L+hskSjhvrGF90Iu7LldXG3xG jgtlJkW7UsGxxhTRWJOK9/ffXHshoy0iIbaQzlr8= To: Paul Wouters , RFC Errata System References: <20160808045220.B8D73B80DB5@rfc-editor.org> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: Date: Mon, 8 Aug 2016 15:23:19 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms010208030904010100010208" Archived-At: Cc: dane@ietf.org, james@manger.com.au, Kathleen.Moriarty.ietf@gmail.com, pwouters@redhat.com Subject: Re: [dane] [Editorial Errata Reported] RFC7929 (4768) X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Aug 2016 14:23:28 -0000 This is a cryptographically signed message in MIME format. --------------ms010208030904010100010208 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I just marked it verified. S On 08/08/16 15:07, Paul Wouters wrote: > On Sun, 7 Aug 2016, RFC Errata System wrote: >=20 >> The following errata report has been submitted for RFC7929, >> "DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPG= P". >> >> -------------------------------------- >> You may review the report below and at: >> http://www.rfc-editor.org/errata_search.php?rfc=3D7929&eid=3D4768 >> >> -------------------------------------- >> Type: Editorial >> Reported by: James Manger >> >> Section: 5.3. >> >> Original Text >> ------------- >> For example, if the OPENPGPKEY RR query for hugh@example.com >> (8d57[...]b7._openpgpkey.example.com) yields a CNAME to >> 8d57[...]b7._openpgpkey.example.net, and an OPENPGPKEY RR for >> 8d57[...]b7._openpgpkey.example.net exists, >> >> Corrected Text >> -------------- >> For example, if the OPENPGPKEY RR query for hugh@example.com >> (c93f[...]d6._openpgpkey.example.com) yields a CNAME to >> c93f[...]d6._openpgpkey.example.net, and an OPENPGPKEY RR for >> c93f[...]d6._openpgpkey.example.net exists, >> >> Notes >> ----- >> The example hash 8d57[...]b7 is wrong. It has been calculated with the= >> wrong hash algorithm: SHA-224, instead of SHA-256. The correct hash is= >> c93f[...]d6, which is shown in the example in section 3. >> >> Instructions: >> ------------- >> This erratum is currently posted as "Reported". If necessary, please >> use "Reply All" to discuss whether it should be verified or >> rejected. When a decision is reached, the verifying party (IESG) >> can log in to change the status and edit the report, if necessary. >=20 > The errata is correct :/ >=20 > Paul >=20 --------------ms010208030904010100010208 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA4MDgx NDIzMTlaMC8GCSqGSIb3DQEJBDEiBCCY0B7W9E4KJZYOJqHjFUvtHNdTW34oq0akHRfv0++N EjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQCfkWC3KPKWNAo6IWkKw+Z2uznjqHkIElpWvYX3nfCqkqYv44njeRkA QqHCH4f2aQpA/NNNXC3sfudakQmq0H/BtCYhcaDk4blq129Fj4Kanv5TTOuFDEJDdZO+nw9Z jSlcu4Be+JseFFIDsQO/x5/aCg0vb588PPqmn0D8pJTVAOoe+bGwpwNJwl5a+St+62TnJaPp gUM6BPM1lJYUe7191VRpmF0YL23owQLpSm3+k4U/fp4wq6xtnp1/w9d5z+XUJyDna1LL7EfH ByyOUipvF+owSQ2NjL6tp/huCeL/FTqmqq/cyna/UNMgpjl6vTdVKIMuOlbtCVcMB4gSz//d AAAAAAAA --------------ms010208030904010100010208-- From nobody Tue Aug 9 15:06:52 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60C4C12D146 for ; Tue, 9 Aug 2016 15:06:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.324 X-Spam-Level: X-Spam-Status: No, score=-1.324 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_XBL=0.375, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZLDzQf3Jp-KE for ; Tue, 9 Aug 2016 15:06:50 -0700 (PDT) Received: from new.toad.com (new.toad.com [209.237.225.253]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (112/168 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF46812D0E2 for ; Tue, 9 Aug 2016 15:06:49 -0700 (PDT) Received: from new.toad.com (localhost.localdomain [127.0.0.1]) by new.toad.com (8.12.9/8.12.9) with ESMTP id u79M6mJn000782; Tue, 9 Aug 2016 15:06:48 -0700 Message-Id: <201608092206.u79M6mJn000782@new.toad.com> To: Olafur Gudmundsson In-reply-to: References: <20160805174630.0BD68B81144@rfc-editor.org> Comments: In-reply-to Olafur Gudmundsson message dated "Sat, 06 Aug 2016 12:33:09 -0400." Date: Tue, 09 Aug 2016 15:06:48 -0700 From: John Gilmore Archived-At: Cc: dane WG list Subject: Re: [dane] RFC 7929 on DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Aug 2016 22:06:51 -0000 > The chairs what to thank Paul for his hard work in getting this > RFC published. Me too! Paul, you are so much better at politics than I! > In my long carrier as WG chair/document cat herder this was the > one of most difficult ones. > > EXPERIMENTAL: This memo defines an Experimental Protocol for the > > Internet community. It does not specify an Internet standard of any > > kind. Discussion and suggestions for improvement are requested. My suggestion for improvement is that we put it on the standards track. I presume that the reason it switched from Standards Track to Experimental in draft 4 of 12 is because that removed some barrier(s) to getting it published. But hey, there's no work to do here, we're disbanding anyway, right? NSA is defeated. Crypto keys are fully tied to their users by strong mechanisms that nevertheless preserve privacy, anonymity and autonomy. Experimental nonstandards are fine. We're done. Let's all go home now. John From nobody Tue Aug 23 15:09:55 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B07912DBA8 for ; Tue, 23 Aug 2016 15:09:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.548 X-Spam-Level: X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.548] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pDfmVlytDAaq for ; Tue, 23 Aug 2016 15:09:52 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7503112DBA5 for ; Tue, 23 Aug 2016 15:09:52 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3sJl3Z3SDTzCWZ for ; Wed, 24 Aug 2016 00:09:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1471990186; bh=q79aql67srxfLJsyrY5ir9uxPoy8F+qinFqKuDp+HQo=; h=Date:From:To:Subject; b=AUP/RuYlZeF2W3Qix0586wo4NyvL3B3jvcjoJ+MTyUtnr5+XRKexzl6sK9I7ZPb+7 WqVC4aZPBKWagORC5FQ9EJz5AROq6Vz9kkVKSLGaiGOYpMNNOI4EU8N7wkK+IvH22g vuM9OrFftaYmkavGatBysBo41jmb9dQ4nVSiK490= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id hDuTzfmt0grP for ; Wed, 24 Aug 2016 00:09:44 +0200 (CEST) Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for ; Wed, 24 Aug 2016 00:09:44 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id D64554C9FF9; Tue, 23 Aug 2016 18:09:42 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca D64554C9FF9 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C4A3B411AC61 for ; Tue, 23 Aug 2016 18:09:42 -0400 (EDT) Date: Tue, 23 Aug 2016 18:09:42 -0400 (EDT) From: Paul Wouters To: dane WG list Message-ID: User-Agent: Alpine 2.20 (LRH 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=UTF-8 Content-Transfer-Encoding: 8BIT Archived-At: Subject: [dane] Postero DANE UI X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2016 22:09:54 -0000 https://posteo.de/en/blog/new-webmail-interface-displays-servers-with-the-highest-sending-security We have just released a new feature for you: Our webmail interface now shows you which of your contacts you can send to with the optimal security of DANE technology. This can be recognised by a small, green DANE symbol above an email address. For us, the new DANE display is something very special. When we introduced this new piece of security technology in May 2014, Posteo was according to heise.de the first provider worldwide to support DANE. Many IT experts were unsure at that time whether the new technology would become established. In the meantime, this has changed – it is now worthwhile displaying whether another server supports DANE: We now transfer emails to many email servers worldwide using DANE as standard, including large email providers such as 1&1 (as well as mail.com, GMX and web.de) and Comcast. [...] From nobody Tue Aug 23 21:51:01 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6699512B028 for ; Tue, 23 Aug 2016 21:51:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.05 X-Spam-Level: * X-Spam-Status: No, score=1.05 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_ABUSE_SURBL=1.25, URIBL_BLACK=1.7] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TWj1yJ0BLYH5 for ; Tue, 23 Aug 2016 21:50:58 -0700 (PDT) Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57C5012B01C for ; Tue, 23 Aug 2016 21:50:58 -0700 (PDT) Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 077E3284F25; Wed, 24 Aug 2016 04:50:57 +0000 (UTC) Date: Wed, 24 Aug 2016 04:50:57 +0000 From: Viktor Dukhovni To: dane@ietf.org Message-ID: <20160824045057.GJ4670@mournblade.imrryr.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Archived-At: Subject: Re: [dane] Postero DANE UI X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: dane@ietf.org List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2016 04:51:00 -0000 On Tue, Aug 23, 2016 at 06:09:42PM -0400, Paul Wouters wrote: > https://posteo.de/en/blog/new-webmail-interface-displays-servers-with-the-highest-sending-security > > We have just released a new feature for you: Our webmail interface now > shows you which of your contacts you can send to with the optimal > security of DANE technology. This can be recognised by a small, green > DANE symbol above an email address. Good to hear. In the mean time, my survey has 40k DANE TLSA domains, and 69 that have at some been sufficiently high volume to have been listed on Google's email transparency report (32 listed in the most report I checked). I have good reason to expect that the 40k domains will be closer to 500k domains around the end of this year, but these will be predominantly small hosted domains, not provider or enterprise domains that a few exceptions (some of the ones showing up the Google list) are taking longer to adopt DNSSEC and DANE. Still, 500k deployed domains by the end of the year will be decent progress I think. The top 20 "parent domains" that delegate the various DANE domains are: 17927 com 7414 nl 3507 de 2879 net 2033 org 1620 eu 942 be 719 nu 354 info 294 se 224 amsterdam 204 at 190 cz 176 ch 171 fr 154 biz 134 co.uk 116 email 97 xyz 80 com.br The top 20 MX providers are: 24416 transip.nl 6489 udmedia.de 1149 nederhost.net 701 ec-elements.com 658 bhosted.nl 222 core-networks.de 141 frobbit.se 122 mailbox.org 115 omc-mail.com 97 hot-chilli.net 96 monshouwer.eu 67 networking4all.net 59 numeezy.com 58 vipprodutora.net.br 54 fyn.nl 52 mediaweb-it.net 51 dotplex.com 43 tutanota.de 43 sandwich.net 42 wk-serv.net The 40k domains are handled by MX hosts with 2049 distinct certificates. The top 10 CAs that issued DANE leaf certificates (by certificate count) are: 711 O=Let's Encrypt,C=US 416 O=StartCom Ltd.,C=IL 185 O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB 102 O=GeoTrust Inc.,C=US 70 O=Gandi,L=Paris,ST=Paris,C=FR 58 O=Interspire Email Marketing,L=Sao Paulo,ST=SP,C=BR 43 O=WoSign CA Limited,C=CN 40 O=GlobalSign nv-sa,C=BE 31 CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc. 23 CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA So around 1/3rd of DANE MX host certs are issued by Let's Encrypt. Some Let's Encrypt users are still struggling with key rotation, and need some prodding to keep their TLSA records accurate. :-( -- Viktor. From nobody Thu Aug 25 18:35:59 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5582212D0AF for ; Thu, 25 Aug 2016 18:35:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Id-mSTAgJRxt for ; Thu, 25 Aug 2016 18:35:55 -0700 (PDT) Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E06112B03F for ; Thu, 25 Aug 2016 18:35:55 -0700 (PDT) Received: by mournblade.imrryr.org (Postfix, from userid 1034) id BB48E284F26; Fri, 26 Aug 2016 01:35:52 +0000 (UTC) Date: Fri, 26 Aug 2016 01:35:52 +0000 From: Viktor Dukhovni To: dane@ietf.org Message-ID: <20160826013552.GR4670@mournblade.imrryr.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) Archived-At: Subject: [dane] Nudge DANE SMTP adoption at DNSSEC-signed MX hosting providers X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: dane@ietf.org List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2016 01:35:58 -0000 Many domain hosting providers that also host the email for the customer domains. For a bunch of these providers the MX hosts are in a DNSSEC-signed zone, and a non-trivial number of customer MX RRsets are also in signed zones. Consequently, they can easily enable DANE SMTP for all the domains in question, just by publishing a small set of TLSA records. I've reached out to a couple of the providers with the largest count of DNSSEC-signed customer domains, but don't have the cycles to reach out to the rest. Therefore, I am posting below a list of the provider domains that house MX hosts that would DANE-enable 100+ domains by publishing and monitoring appropriate TLSA records. Any providers that get wind of this posting might find the links below useful: https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ https://www.ietf.org/mail-archive/web/uta/current/msg01498.html http://tools.ietf.org/html/rfc7672#section-1.3 http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 https://dane.sys4.de/common_mistakes To whit, below my signature is a list of providers that should be encouraged to deploy TLSA records having already gone to all the trouble of doing the hard part and deploying DNSSEC: If anyone on this list knows the appropriate technical contacts at one or more of these providers, please feel free to reach out and give them a gentle nudge in the right direction. Collectively, these 58 providers can DANE-enable at least 72 thousand domains. -- Viktor. protonmail.ch 1024degres.com gransy.com intility.com networking4all.com procolix.com senta.com shoptrader.com tornado-mail.com aerohosting.cz banan.cz dc3.cz globe.cz ignum.cz onebit.cz seolight.cz smtp.cz webcloud.cz hosting.eu mail-scanner.eu mailplatform.eu anonymail.hu dns1.hu integrity.hu microware.hu webtar.hu servicios-nic.com.mx netvibeshosting.net networking4all.net ubm-us.net 2is.nl argewebhosting.nl atention.nl bit.nl blackhole.nl box.nl datacon.nl flexfilter.nl greenhost.nl hostingdiscounter.nl hostplan.nl iaf.nl is.nl jouwweb.nl mach3builders.nl openprovider.nl pcextreme.nl prolocation.nl spamservice.nl swathosting.nl uvt.nl webguru.nl domeneshop.no fastname.no uniweb.no entos.se paranormal.se ine.co.th From nobody Fri Aug 26 02:07:39 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A99312D18E for ; Fri, 26 Aug 2016 02:07:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u6aXiN6Zzxts for ; Fri, 26 Aug 2016 02:07:34 -0700 (PDT) Received: from mail.core-networks.de (mail.core-networks.de [IPv6:2001:1bc0:d::4:9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D60E12D105 for ; Fri, 26 Aug 2016 02:07:34 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.core-networks.de id 1bdD6n-0003Jm-CM with ESMTPSA (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) for dane@ietf.org; Fri, 26 Aug 2016 11:07:31 +0200 Mime-Version: 1.0 Date: Fri, 26 Aug 2016 09:07:28 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: X-Mailer: RainLoop/1.10.3.151 From: "Rene \"Renne\" Bartsch (rene@bartschnet.de)" To: dane@ietf.org In-Reply-To: <20160826013552.GR4670@mournblade.imrryr.org> References: <20160826013552.GR4670@mournblade.imrryr.org> Archived-At: Subject: Re: [dane] Nudge DANE SMTP adoption at DNSSEC-signed MX hosting providers X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2016 09:07:38 -0000 BSI TR-03108-1 Secure E-Mail Transport=0ARequirements for E-Mail Service = Providers (EMSP)=0Aregarding a secure Transport of E-Mails=0AVersion: 1.0= =0ADate:=0A05/12/2016=0Ahttps://www.bsi.bund.de/SharedDocs/Downloads/DE/B= SI/Publikationen/TechnischeRichtlinien/TR03108/TR03=0A08-1.pdf;jsessionid= =3DBD19BA2EBEEB22AFE1A8310E1666148E.2_cid286?__blob=3DpublicationFile&v= =3D3=0A=0Adefines DANE-SMTP mandatory in section 2.2.1 for all certified = german e-mail providers.=0A=0ABSI =3D Federal Office for Information Secu= rity (Germany)=0A=0AI suggest to refer to this document to show e-mail pr= oviders DANE-SMTP is already in active use and=0Aeven mandatory by govern= memnts.=0A=0ABest regards,=0A=0ARenne=0A=0A=0A26. August 2016 03:36, "Vik= tor Dukhovni" schrieb:=0A=0A> Many domain hostin= g providers that also host the email for the=0A> customer domains. For a = bunch of these providers the MX hosts are=0A> in a DNSSEC-signed zone, an= d a non-trivial number of customer MX=0A> RRsets are also in signed zones= . Consequently, they can easily=0A> enable DANE SMTP for all the domains = in question, just by publishing=0A> a small set of TLSA records.=0A> =0A>= I've reached out to a couple of the providers with the largest=0A> count= of DNSSEC-signed customer domains, but don't have the cycles=0A> to reac= h out to the rest.=0A> =0A> Therefore, I am posting below a list of the p= rovider domains that=0A> house MX hosts that would DANE-enable 100+ domai= ns by publishing=0A> and monitoring appropriate TLSA records.=0A> =0A> An= y providers that get wind of this posting might find the links=0A> below = useful:=0A> =0A> https://www.internetsociety.org/deploy360/blog/2016/03/l= ets-encrypt-certificates-for-mail-servers-an=0A> -dane-part-2-of-2=0A> ht= tps://www.ietf.org/mail-archive/web/uta/current/msg01498.html=0A> http://= tools.ietf.org/html/rfc7672#section-1.3=0A> http://tools.ietf.org/html/rf= c7671#section-8.1=0A> http://tools.ietf.org/html/rfc7671#section-8.4=0A> = https://dane.sys4.de/common_mistakes=0A> =0A> To whit, below my signature= is a list of providers that should be=0A> encouraged to deploy TLSA reco= rds having already gone to all the=0A> trouble of doing the hard part and= deploying DNSSEC:=0A> =0A> If anyone on this list knows the appropriate = technical contacts at=0A> one or more of these providers, please feel fre= e to reach out and=0A> give them a gentle nudge in the right direction. C= ollectively,=0A> these 58 providers can DANE-enable at least 72 thousand = domains.=0A> =0A> --=0A> Viktor.=0A> =0A> protonmail.ch=0A> 1024degres.co= m=0A> gransy.com=0A> intility.com=0A> networking4all.com=0A> procolix.com= =0A> senta.com=0A> shoptrader.com=0A> tornado-mail.com=0A> aerohosting.cz= =0A> banan.cz=0A> dc3.cz=0A> globe.cz=0A> ignum.cz=0A> onebit.cz=0A> seol= ight.cz=0A> smtp.cz=0A> webcloud.cz=0A> hosting.eu=0A> mail-scanner.eu=0A= > mailplatform.eu=0A> anonymail.hu=0A> dns1.hu=0A> integrity.hu=0A> micro= ware.hu=0A> webtar.hu=0A> servicios-nic.com.mx=0A> netvibeshosting.net=0A= > networking4all.net=0A> ubm-us.net=0A> 2is.nl=0A> argewebhosting.nl=0A> = atention.nl=0A> bit.nl=0A> blackhole.nl=0A> box.nl=0A> datacon.nl=0A> fle= xfilter.nl=0A> greenhost.nl=0A> hostingdiscounter.nl=0A> hostplan.nl=0A> = iaf.nl=0A> is.nl=0A> jouwweb.nl=0A> mach3builders.nl=0A> openprovider.nl= =0A> pcextreme.nl=0A> prolocation.nl=0A> spamservice.nl=0A> swathosting.n= l=0A> uvt.nl=0A> webguru.nl=0A> domeneshop.no=0A> fastname.no=0A> uniweb.= no=0A> entos.se=0A> paranormal.se=0A> ine.co.th=0A> =0A> ________________= _______________________________=0A> dane mailing list=0A> dane@ietf.org= =0A> https://www.ietf.org/mailman/listinfo/dane From nobody Fri Aug 26 02:22:04 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 332FC12D0DA for ; Fri, 26 Aug 2016 02:22:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UIlCaIuj2Fii for ; Fri, 26 Aug 2016 02:22:01 -0700 (PDT) Received: from mail.core-networks.de (mail.core-networks.de [IPv6:2001:1bc0:d::4:9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CFE312D097 for ; Fri, 26 Aug 2016 02:22:01 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.core-networks.de id 1bdDKn-0003v7-Q0 with ESMTPSA (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) for dane@ietf.org; Fri, 26 Aug 2016 11:21:58 +0200 Mime-Version: 1.0 Date: Fri, 26 Aug 2016 09:21:56 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <5a40f1fd2d489d5f26c8c5220e994b04@www.bartschnet.de> X-Mailer: RainLoop/1.10.3.151 From: "Rene \"Renne\" Bartsch (rene@bartschnet.de)" To: dane@ietf.org In-Reply-To: References: <20160826013552.GR4670@mournblade.imrryr.org> Archived-At: Subject: Re: [dane] Nudge DANE SMTP adoption at DNSSEC-signed MX hosting providers X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2016 09:22:03 -0000 Sorry, The link contained a session-ID. Here' the correct one:=0A=0Ahttps= ://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRi= chtlinien/TR03108/TR03108-1.pdf?__blob=3DpublicationFile&v=3D3=0A=0A=0A= =0A26. August 2016 11:07, "Rene "Renne" Bartsch (rene@bartschnet.de)" schrieb:=0A> BSI TR-03108-1 Secure E-Mail Transport=0A>= Requirements for E-Mail Service Providers (EMSP)=0A> regarding a secure = Transport of E-Mails=0A> Version: 1.0=0A> Date:=0A> 05/12/2016=0A> https:= //www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRic= htlinien/TR03108/TR03=0A> 08-1.pdf;jsessionid=3DBD19BA2EBEEB22AFE1A8310E1= 666148E.2_cid286?__blob=3DpublicationFile&v=3D3=0A> =0A> defines DANE-SMT= P mandatory in section 2.2.1 for all certified german e-mail providers.= =0A> =0A> BSI =3D Federal Office for Information Security (Germany)=0A> = =0A> I suggest to refer to this document to show e-mail providers DANE-SM= TP is already in active use and=0A> even mandatory by governmemnts.=0A> = =0A> Best regards,=0A> =0A> Renne=0A> =0A> 26. August 2016 03:36, "Viktor= Dukhovni" schrieb:=0A> =0A>> Many domain hostin= g providers that also host the email for the=0A>> customer domains. For a= bunch of these providers the MX hosts are=0A>> in a DNSSEC-signed zone, = and a non-trivial number of customer MX=0A>> RRsets are also in signed zo= nes. Consequently, they can easily=0A>> enable DANE SMTP for all the doma= ins in question, just by publishing=0A>> a small set of TLSA records.=0A>= > =0A>> I've reached out to a couple of the providers with the largest=0A= >> count of DNSSEC-signed customer domains, but don't have the cycles=0A>= > to reach out to the rest.=0A>> =0A>> Therefore, I am posting below a li= st of the provider domains that=0A>> house MX hosts that would DANE-enabl= e 100+ domains by publishing=0A>> and monitoring appropriate TLSA records= .=0A>> =0A>> Any providers that get wind of this posting might find the l= inks=0A>> below useful:=0A>> =0A>> https://www.internetsociety.org/deploy= 360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-an=0A>> -dane= -part-2-of-2=0A>> https://www.ietf.org/mail-archive/web/uta/current/msg01= 498.html=0A>> http://tools.ietf.org/html/rfc7672#section-1.3=0A>> http://= tools.ietf.org/html/rfc7671#section-8.1=0A>> http://tools.ietf.org/html/r= fc7671#section-8.4=0A>> https://dane.sys4.de/common_mistakes=0A>> =0A>> T= o whit, below my signature is a list of providers that should be=0A>> enc= ouraged to deploy TLSA records having already gone to all the=0A>> troubl= e of doing the hard part and deploying DNSSEC:=0A>> =0A>> If anyone on th= is list knows the appropriate technical contacts at=0A>> one or more of t= hese providers, please feel free to reach out and=0A>> give them a gentle= nudge in the right direction. Collectively,=0A>> these 58 providers can = DANE-enable at least 72 thousand domains.=0A>> =0A>> --=0A>> Viktor.=0A>>= =0A>> protonmail.ch=0A>> 1024degres.com=0A>> gransy.com=0A>> intility.co= m=0A>> networking4all.com=0A>> procolix.com=0A>> senta.com=0A>> shoptrade= r.com=0A>> tornado-mail.com=0A>> aerohosting.cz=0A>> banan.cz=0A>> dc3.cz= =0A>> globe.cz=0A>> ignum.cz=0A>> onebit.cz=0A>> seolight.cz=0A>> smtp.cz= =0A>> webcloud.cz=0A>> hosting.eu=0A>> mail-scanner.eu=0A>> mailplatform.= eu=0A>> anonymail.hu=0A>> dns1.hu=0A>> integrity.hu=0A>> microware.hu=0A>= > webtar.hu=0A>> servicios-nic.com.mx=0A>> netvibeshosting.net=0A>> netwo= rking4all.net=0A>> ubm-us.net=0A>> 2is.nl=0A>> argewebhosting.nl=0A>> ate= ntion.nl=0A>> bit.nl=0A>> blackhole.nl=0A>> box.nl=0A>> datacon.nl=0A>> f= lexfilter.nl=0A>> greenhost.nl=0A>> hostingdiscounter.nl=0A>> hostplan.nl= =0A>> iaf.nl=0A>> is.nl=0A>> jouwweb.nl=0A>> mach3builders.nl=0A>> openpr= ovider.nl=0A>> pcextreme.nl=0A>> prolocation.nl=0A>> spamservice.nl=0A>> = swathosting.nl=0A>> uvt.nl=0A>> webguru.nl=0A>> domeneshop.no=0A>> fastna= me.no=0A>> uniweb.no=0A>> entos.se=0A>> paranormal.se=0A>> ine.co.th=0A>>= =0A>> _______________________________________________=0A>> dane mailing = list=0A>> dane@ietf.org=0A>> https://www.ietf.org/mailman/listinfo/dane= =0A> =0A> _______________________________________________=0A> dane mailin= g list=0A> dane@ietf.org=0A> https://www.ietf.org/mailman/listinfo/dane From nobody Fri Aug 26 09:25:37 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AEEA12D0E1 for ; Fri, 26 Aug 2016 09:25:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9l_rUtddsyTG for ; Fri, 26 Aug 2016 09:25:33 -0700 (PDT) Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A20AA12D143 for ; Fri, 26 Aug 2016 09:25:33 -0700 (PDT) Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 81348284F25; Fri, 26 Aug 2016 16:25:32 +0000 (UTC) Date: Fri, 26 Aug 2016 16:25:32 +0000 From: Viktor Dukhovni To: dane@ietf.org Message-ID: <20160826162532.GV4670@mournblade.imrryr.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) Archived-At: Subject: [dane] OpenSSL 1.1.0 released, supports DANE TLSA X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: dane@ietf.org List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2016 16:25:36 -0000 For those who might not yet have heard the news, OpenSSL 1.1.0 was released yesterday and includes support for DANE TLSA authentication. https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_dane_enable.html https://www.openssl.org/docs/manmaster/apps/s_client.html Example: $ PATH=/.../OpenSSL_1_1_0/bin:$PATH $ dig +short -t mx ietf.org | while read pref mx; do mx=${mx%.} printf "=== %s\n" "$mx" dig +short -t tlsa "_25._tcp.$mx" | while read rrdata; do printf "+++ %s\n" "$rrdata" (sleep 2; printf "QUIT\r\n" ) | openssl s_client -brief -starttls smtp -connect "$mx:25" \ -dane_tlsa_domain "$mx" -dane_tlsa_rrdata "$rrdata" \ -dane_ee_no_namechecks done done === mail.ietf.org +++ 3 1 1 0C72AC70B745AC19998811B131D662C9AC69DBDBE7CB23E5B514B566 64C5D3D6 CONNECTION ESTABLISHED Protocol version: TLSv1.2 Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 Peer certificate: OU = Domain Control Validated, CN = *.ietf.org Hash used: SHA512 Verification: OK Verified peername: *.ietf.org DANE TLSA 3 1 1 ...e7cb23e5b514b56664c5d3d6 matched EE certificate at depth 0 Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2 Server Temp Key: ECDH, P-256, 256 bits 250 8BITMIME DONE -- Viktor. From nobody Fri Aug 26 10:26:17 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C512912D158 for ; Fri, 26 Aug 2016 10:26:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F-8iUlOxYkM8 for ; Fri, 26 Aug 2016 10:26:13 -0700 (PDT) Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0090.outbound.protection.outlook.com [23.103.201.90]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E70E912D150 for ; Fri, 26 Aug 2016 10:26:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Ut3U5oSCHo9WjCi3eDQS/H9sTUq2NXCnrMUioSJaAqE=; b=aXY6MzLx5sgW30ni2mj7+U/V+8JQLSi86u5WcZ1QTyFe+zlmzCXfV8W/9d7FyALfvU+q4vjYLnCNFK2E18CLP68VGFYj/szKOz78qwG47BWnGb8/+pbFEsFEP2VdUNsRUoe5NnLikn30vytdg8VUPL8tp6MprFfNhAhrhX5D8R0= Received: from CY1PR09MB0647.namprd09.prod.outlook.com (10.161.172.17) by CY1PR09MB0646.namprd09.prod.outlook.com (10.161.172.16) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.587.9; Fri, 26 Aug 2016 17:26:10 +0000 Received: from CY1PR09MB0647.namprd09.prod.outlook.com ([10.161.172.17]) by CY1PR09MB0647.namprd09.prod.outlook.com ([10.161.172.17]) with mapi id 15.01.0587.013; Fri, 26 Aug 2016 17:26:10 +0000 From: "Garfinkel, Simson L. (Fed)" To: "dane@ietf.org" Thread-Topic: [dane] OpenSSL 1.1.0 released, supports DANE TLSA Thread-Index: AQHR/7aDap5rYABhQ0+vj/usxvTcwKBbO18A Date: Fri, 26 Aug 2016 17:26:10 +0000 Message-ID: <45D4C913-1CC1-4703-9DF5-CB41B1C6B161@nist.gov> References: <20160826162532.GV4670@mournblade.imrryr.org> In-Reply-To: <20160826162532.GV4670@mournblade.imrryr.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=simson.garfinkel@nist.gov; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [129.6.223.67] x-ms-office365-filtering-correlation-id: c9b2ba4d-7e0d-4f76-3e03-08d3cdd61297 x-microsoft-exchange-diagnostics: 1; CY1PR09MB0646; 6:C3GrqcO2oaDQQ0Qtc66PuGXz4eXVyNvOXIRUo9BPAAt7tILi4TlC2UjlqWLy6HScsxtQEBSeOokodYhJx7mDpvJqNKRLLHIIoi3IrAW90PQ+onnKeulblFu34ZeF6rn0EQb3VW+22cqIdjCBQs2lwxWqEpC5ZeDI2SrwU7IVRtK+BG5XeUoP2g4FXsHJK2a5LoJbSAtKrZ8ny5OyZnLIRhmzq7QcAl1mYs55ce2/710Gfcvif47g89o4aCRWWgd64mYTuR1kXy4fWSTtKOGrSXxVBrfOkcaVIssm+hapufPVD9ZyaPhnsYpDDa8pa1QLcM6MhZKR6ZW7ISvxzaHIjw==; 5:ZiFS7+A72022HK1ToGE15knaHzFULL/rZlvZsYSNvWEE4nj48vgKhqbfOe6X/b9UNvxzFgVACC9Qlu6Bgr0usbBHsepgE0X6sGF+bGBa8xSFniRF3WDEVsWIzjCtkvHVZzZatPe3MdFewC3qX2+KEg==; 24:eh4LJPiHulTMB1c7SsoLdAfry9+v/yM2MGSfRqzVO1IQ3kYWSKhE7IPPOaTpoLuadeJ29BE7J0GyfrOtuLJpiLo6DsPWUB6UjPTHhE9kR5o=; 7:91AP82vCmoWhPXA9HRYd14YIdZTayfWaNn2z5NA0YDE2gMXiNeRP8e916gOrY7tf1QohVG/ldL7u+UdDrtqh1ovqUNumyupUVo+yjn8mFmvDJuOP9JbslKamXjPWPDdS+lzZqtK4eNOtvb3c1mPjIG25uybmB8nbGoCLDk94Gb7dvXVTSmgkeUkkHwmvDMdBfMLKoZD/sP34fUTvM6PdTrMtahEyQ5Vmokn1o7FWu/eYRRYr6lHLeUL+tGHC5vkg x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR09MB0646; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(158342451672863)(36789356921836); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:CY1PR09MB0646; BCL:0; PCL:0; RULEID:; SRVR:CY1PR09MB0646; x-forefront-prvs: 00462943DE x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(377454003)(199003)(189002)(24454002)(15975445007)(2900100001)(87936001)(86362001)(66066001)(76176999)(19580395003)(54356999)(50986999)(97736004)(8676002)(105586002)(2351001)(2906002)(101416001)(92566002)(11100500001)(106116001)(122556002)(5640700001)(68736007)(99286002)(586003)(3660700001)(102836003)(450100001)(10400500002)(2501003)(3846002)(6116002)(33656002)(3280700002)(106356001)(305945005)(7736002)(2950100001)(77096005)(110136002)(107886002)(5002640100001)(1730700003)(8936002)(81166006)(81156014)(189998001)(83716003)(82746002)(5660300001)(7846002)(36756003)(19580405001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR09MB0646; H:CY1PR09MB0647.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-ID: <5C8075CEAE926C488CEB9810EC6395EB@namprd09.prod.outlook.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Aug 2016 17:26:10.6868 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR09MB0646 Archived-At: Subject: Re: [dane] OpenSSL 1.1.0 released, supports DANE TLSA X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2016 17:26:15 -0000 VmlrdG9yLA0KDQpJdOKAmXMgZ3JlYXQgdGhhdCB0aGlzIGlzIG91dC4NCg0KUXVlc3Rpb24g4oCU IHdhcyB0aGVyZSBhbnkgdXNhYmlsaXR5IHRlc3RpbmcgZG9uZSByZWdhcmRpbmcgdGhlIEFQST8N Cg0KU2ltc29uDQoNCg0KT24gOC8yNi8xNiwgMTI6MjUgUE0sICJkYW5lIG9uIGJlaGFsZiBvZiBW aWt0b3IgRHVraG92bmkiIDxkYW5lLWJvdW5jZXNAaWV0Zi5vcmcgb24gYmVoYWxmIG9mIGlldGYt ZGFuZUBkdWtob3ZuaS5vcmc+IHdyb3RlOg0KDQogICAgDQogICAgRm9yIHRob3NlIHdobyBtaWdo dCBub3QgeWV0IGhhdmUgaGVhcmQgdGhlIG5ld3MsIE9wZW5TU0wgMS4xLjAgd2FzDQogICAgcmVs ZWFzZWQgeWVzdGVyZGF5IGFuZCBpbmNsdWRlcyBzdXBwb3J0IGZvciBEQU5FIFRMU0EgYXV0aGVu dGljYXRpb24uDQogICAgDQogICAgICAgIGh0dHBzOi8vd3d3Lm9wZW5zc2wub3JnL2RvY3MvbWFu bWFzdGVyL3NzbC9TU0xfQ1RYX2RhbmVfZW5hYmxlLmh0bWwNCiAgICAgICAgaHR0cHM6Ly93d3cu b3BlbnNzbC5vcmcvZG9jcy9tYW5tYXN0ZXIvYXBwcy9zX2NsaWVudC5odG1sDQogICAgDQogICAg RXhhbXBsZToNCiAgICANCiAgICAgICAkIFBBVEg9Ly4uLi9PcGVuU1NMXzFfMV8wL2JpbjokUEFU SA0KICAgICAgICQgIGRpZyArc2hvcnQgLXQgbXggaWV0Zi5vcmcgfA0KICAgICAgICAgICAgIHdo aWxlIHJlYWQgcHJlZiBteDsgZG8NCiAgICAgICAgICAgICAgICBteD0ke214JS59DQogICAgICAg ICAgICAgICAgcHJpbnRmICI9PT0gJXNcbiIgIiRteCINCiAgICAgICAgICAgICAgICBkaWcgK3No b3J0IC10IHRsc2EgIl8yNS5fdGNwLiRteCIgfA0KICAgICAgICAgICAgICAgICAgIHdoaWxlIHJl YWQgcnJkYXRhOyBkbw0KICAgICAgICAgICAgICAgICAgICAgIHByaW50ZiAiKysrICVzXG4iICIk cnJkYXRhIg0KICAgICAgICAgICAgICAgICAgICAgIChzbGVlcCAyOyBwcmludGYgIlFVSVRcclxu IiApIHwNCiAgICAgICAgICAgICAgICAgICAgICBvcGVuc3NsIHNfY2xpZW50IC1icmllZiAtc3Rh cnR0bHMgc210cCAtY29ubmVjdCAiJG14OjI1IiBcDQogICAgICAgICAgICAgICAgICAgICAgICAg LWRhbmVfdGxzYV9kb21haW4gIiRteCIgLWRhbmVfdGxzYV9ycmRhdGEgIiRycmRhdGEiIFwNCiAg ICAgICAgICAgICAgICAgICAgICAgICAtZGFuZV9lZV9ub19uYW1lY2hlY2tzDQogICAgICAgICAg ICAgICAgICAgZG9uZQ0KICAgICAgICAgICAgIGRvbmUNCiAgICAgICA9PT0gbWFpbC5pZXRmLm9y Zw0KICAgICAgICsrKyAzIDEgMSAwQzcyQUM3MEI3NDVBQzE5OTk4ODExQjEzMUQ2NjJDOUFDNjlE QkRCRTdDQjIzRTVCNTE0QjU2NiA2NEM1RDNENg0KICAgICAgIENPTk5FQ1RJT04gRVNUQUJMSVNI RUQNCiAgICAgICBQcm90b2NvbCB2ZXJzaW9uOiBUTFN2MS4yDQogICAgICAgQ2lwaGVyc3VpdGU6 IEVDREhFLVJTQS1BRVMyNTYtR0NNLVNIQTM4NA0KICAgICAgIFBlZXIgY2VydGlmaWNhdGU6IE9V ID0gRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkLCBDTiA9ICouaWV0Zi5vcmcNCiAgICAgICBIYXNo IHVzZWQ6IFNIQTUxMg0KICAgICAgIFZlcmlmaWNhdGlvbjogT0sNCiAgICAgICBWZXJpZmllZCBw ZWVybmFtZTogKi5pZXRmLm9yZw0KICAgICAgIERBTkUgVExTQSAzIDEgMSAuLi5lN2NiMjNlNWI1 MTRiNTY2NjRjNWQzZDYgbWF0Y2hlZCBFRSBjZXJ0aWZpY2F0ZSBhdCBkZXB0aCAwDQogICAgICAg U3VwcG9ydGVkIEVsbGlwdGljIEN1cnZlIFBvaW50IEZvcm1hdHM6IHVuY29tcHJlc3NlZDphbnNp WDk2Ml9jb21wcmVzc2VkX3ByaW1lOmFuc2lYOTYyX2NvbXByZXNzZWRfY2hhcjINCiAgICAgICBT ZXJ2ZXIgVGVtcCBLZXk6IEVDREgsIFAtMjU2LCAyNTYgYml0cw0KICAgICAgIDI1MCA4QklUTUlN RQ0KICAgICAgIERPTkUNCiAgICANCiAgICAtLSANCiAgICAJVmlrdG9yLg0KICAgIA0KICAgIF9f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQogICAgZGFuZSBt YWlsaW5nIGxpc3QNCiAgICBkYW5lQGlldGYub3JnDQogICAgaHR0cHM6Ly93d3cuaWV0Zi5vcmcv bWFpbG1hbi9saXN0aW5mby9kYW5lDQogICAgDQoNCg== From manuela.p@fun-mail.net Thu Aug 25 14:33:08 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C417C12B02C for ; Thu, 25 Aug 2016 14:33:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fun-mail.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eFc5fVUNAsYK for ; Thu, 25 Aug 2016 14:33:06 -0700 (PDT) Received: from shout01.mail.de (shout01.mail.de [IPv6:2001:868:100:600::216]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 200AD126D74 for ; Thu, 25 Aug 2016 14:33:05 -0700 (PDT) Received: from postfix03.mail.de (postfix03.bt.mail.de [10.0.121.127]) by shout01.mail.de (Postfix) with ESMTP id 875BB40220 for ; Thu, 25 Aug 2016 23:33:03 +0200 (CEST) Received: from smtp03.mail.de (smtp03.bt.mail.de [10.0.121.213]) by postfix03.mail.de (Postfix) with ESMTP id 7219740121 for ; Thu, 25 Aug 2016 23:33:03 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fun-mail.net; s=fun-mail201307; t=1472160783; bh=zKUJ5GkwhO0qjcwZmzcAMDWFwLYYmsx8MlpgxkZU0eU=; h=From:To:Subject:Date:From; b=kvIxlKlMsTU5qiew606MPpFMiIpo4jIkX/eq4YML2EdRwUM2d8Z0jGUTthOzk5TgF 1YV0OwvQx4/txDAIWm7LstW9t3kfjEyCyQltsFoTL3up99YKGeV2b2UcIUSLz7IErC y5Q5aPrF4FfDGl0LnzweVISpoe504um1yKni0gs8= Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp03.mail.de (Postfix) with ESMTPSA id 3959440066 for ; Thu, 25 Aug 2016 23:33:03 +0200 (CEST) From: manuela.p@fun-mail.net To: dane@ietf.org X-Priority: 3 Date: Thu, 25 Aug 2016 23:33:03 +0200 Content-Type: multipart/alternative; boundary="=_e5db69f488ec20f2ccd8414646c32a92" MIME-Version: 1.0 Message-Id: <20160825213303.3959440066@smtp03.mail.de> X-purgate: clean X-purgate: This mail is considered clean (visit http://www.eleven.de for further information) X-purgate-type: clean X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de X-purgate: This mail is considered clean (visit http://www.eleven.de for further information) X-purgate: clean X-purgate-size: 4292 X-purgate-ID: 154282::1472160783-0000085D-A01FF705/0/0 Archived-At: X-Mailman-Approved-At: Fri, 26 Aug 2016 18:46:22 -0700 Subject: Re: [dane] Postero DANE UI X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Aug 2016 21:36:13 -0000 --=_e5db69f488ec20f2ccd8414646c32a92 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Sorry to say, but where is the news? 2 other german email providers alre= ady show that DANE information while writing an email since a long time:= =0Amailbox.org since 28. May 2015=0A https://mailbox.org/mailbox-org-inf= ormiert-vor-e-mail-versand-ueber-sicherheitslevel-der-empfaenger/=0Amail= .de since 24. February 2016=0A https://mail.de/blog/2016-02-neue-funktio= n-warnt-vor-unverschluesselten-e-mail-empfaengern/ =0A=0A Am 25-Aug-2016= 23:31:09 +0200 schrieb paul@nohats.ca: =0A=0Ahttps://posteo.de/en/blog/= new-webmail-interface-displays-servers-with-the-highest-sending-security= =0A=0A We have just released a new feature for you: Our webmail interfac= e now=0A shows you which of your contacts you can send to with the optim= al=0A security of DANE technology. This can be recognised by a small, gr= een=0A DANE symbol above an email address.=0A=0A For us, the new DANE di= splay is something very special. When we=0A introduced this new piece of= security technology in May 2014, Posteo was=0A according to heise.de th= e first provider worldwide to support DANE. Many=0A IT experts were unsu= re at that time whether the new technology would=0A become established.= In the meantime, this has changed - it is now=0A worthwhile displaying= whether another server supports DANE: We now=0A transfer emails to many= email servers worldwide using DANE as standard,=0A including large emai= l providers such as 1&1 (as well as mail.com, GMX=0A and web.de) and Com= cast.=0A=0A [...]=0A=0A _______________________________________________= =0A dane mailing list=0Adane@ietf.org=0Ahttps://www.ietf.org/mailman/lis= tinfo/dane --=_e5db69f488ec20f2ccd8414646c32a92 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable
Sorry to say, but where is the news? 2 other ger= man email providers already show that DANE information while writing an= email since a long time:
mailbox.org since 28. May 2015
 = ; https://mailbox.org/mailbox-org-informiert-vor-e-mail-versand-ueber-si= cherheitslevel-der-empfaenger/
mail.de since 24. February 2016
  https://mail.de/blog/2016-02-neue-funktion-warnt-vor-unverschlue= sselten-e-mail-empfaengern/
=0A



Am 25-Aug-201= 6 23:31:09 +0200 schrieb paul@nohats.ca:

=0A

h= ttps://posteo.de/en/blog/new-webmail-interface-displays-servers-with-the= -highest-sending-security

We have just released a new fe= ature for you: Our webmail interface now
shows you which of your c= ontacts you can send to with the optimal
security of DANE technolo= gy. This can be recognised by a small, green
DANE symbol above an= email address.

For us, the new DANE display is something ve= ry special. When we
introduced this new piece of security technolo= gy in May 2014, Posteo was
according to heise.de the first provide= r worldwide to support DANE. Many
IT experts were unsure at that t= ime whether the new technology would
become established. In the me= antime, this has changed – it is now
worthwhile displaying w= hether another server supports DANE: We now
transfer emails to man= y email servers worldwide using DANE as standard,
including large= email providers such as 1&1 (as well as mail.com, GMX
and web= .de) and Comcast.


[...]

__________________= _____________________________
dane mailing list
dane@ietf.org
https://www.ietf.org/mailman/listinfo/dane
--=_e5db69f488ec20f2ccd8414646c32a92-- From nobody Sat Aug 27 05:51:12 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CF6D12B009 for ; Sat, 27 Aug 2016 05:51:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zBU3pLdFADkO for ; Sat, 27 Aug 2016 05:51:09 -0700 (PDT) Received: from mail.core-networks.de (mail.core-networks.de [IPv6:2001:1bc0:d::4:9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E88F12D113 for ; Sat, 27 Aug 2016 05:51:09 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.core-networks.de id 1bdd4j-0006N7-JZ with ESMTPSA (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) for dane@ietf.org; Sat, 27 Aug 2016 14:51:06 +0200 Mime-Version: 1.0 Date: Sat, 27 Aug 2016 12:51:03 +0000 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <6ff0a5c9742984d1e38c9816ba2689c3@www.bartschnet.de> X-Mailer: RainLoop/1.10.3.151 From: "Rene \"Renne\" Bartsch (rene@bartschnet.de)" To: dane@ietf.org In-Reply-To: <20160826162532.GV4670@mournblade.imrryr.org> References: <20160826162532.GV4670@mournblade.imrryr.org> Archived-At: Subject: Re: [dane] OpenSSL 1.1.0 released, supports DANE TLSA X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Aug 2016 12:51:11 -0000 We should do some lobbying with browser vendors to get attention from the= masses. It will help DANE if requested by users. ;-)=0A=0AWhat TLS-libra= ries do other browsers use? What other TLS-libraries other than OpenSSL d= o support DANE-TLS?=0A=0AMozilla Firefox -> NSS=0AGoogle Chrome/Chromium = -> BoringSSL=0A=0A=0A=0A26. August 2016 18:25, "Viktor Dukhovni" schrieb:=0A> For those who might not yet have heard the = news, OpenSSL 1.1.0 was=0A> released yesterday and includes support for D= ANE TLSA authentication.=0A> =0A> https://www.openssl.org/docs/manmaster/= ssl/SSL_CTX_dane_enable.html=0A> https://www.openssl.org/docs/manmaster/a= pps/s_client.html=0A> =0A> Example:=0A> =0A> $ PATH=3D/.../OpenSSL_1_1_0/= bin:$PATH=0A> $ dig +short -t mx ietf.org |=0A> while read pref mx; do=0A= > mx=3D${mx%.}=0A> printf "=3D=3D=3D %s\n" "$mx"=0A> dig +short -t tlsa "= _25._tcp.$mx" |=0A> while read rrdata; do=0A> printf "+++ %s\n" "$rrdata"= =0A> (sleep 2; printf "QUIT\r\n" ) |=0A> openssl s_client -brief -starttl= s smtp -connect "$mx:25" \=0A> -dane_tlsa_domain "$mx" -dane_tlsa_rrdata = "$rrdata" \=0A> -dane_ee_no_namechecks=0A> done=0A> done=0A> =3D=3D=3D ma= il.ietf.org=0A> +++ 3 1 1 0C72AC70B745AC19998811B131D662C9AC69DBDBE7CB23E= 5B514B566 64C5D3D6=0A> CONNECTION ESTABLISHED=0A> Protocol version: TLSv1= .2=0A> Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384=0A> Peer certificate: OU = =3D Domain Control Validated, CN =3D *.ietf.org=0A> Hash used: SHA512=0A>= Verification: OK=0A> Verified peername: *.ietf.org=0A> DANE TLSA 3 1 1 .= ..e7cb23e5b514b56664c5d3d6 matched EE certificate at depth 0=0A> Supporte= d Elliptic Curve Point Formats:=0A> uncompressed:ansiX962_compressed_prim= e:ansiX962_compressed_char2=0A> Server Temp Key: ECDH, P-256, 256 bits=0A= > 250 8BITMIME=0A> DONE=0A> =0A> -- =0A> Viktor.=0A> =0A> _______________= ________________________________=0A> dane mailing list=0A> dane@ietf.org= =0A> https://www.ietf.org/mailman/listinfo/dane From nobody Sat Aug 27 10:32:02 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24E3A12B032 for ; Sat, 27 Aug 2016 10:32:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WkkgPVmTof9v for ; Sat, 27 Aug 2016 10:32:00 -0700 (PDT) Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E063B12B01D for ; Sat, 27 Aug 2016 10:31:59 -0700 (PDT) Received: from vpro.lan (cpe-74-71-8-253.nyc.res.rr.com [74.71.8.253]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id A2D79284D97 for ; Sat, 27 Aug 2016 17:31:58 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Viktor Dukhovni In-Reply-To: <6ff0a5c9742984d1e38c9816ba2689c3@www.bartschnet.de> Date: Sat, 27 Aug 2016 13:31:56 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <7D244931-8F28-4C84-A3F1-673DED42A29F@dukhovni.org> References: <20160826162532.GV4670@mournblade.imrryr.org> <6ff0a5c9742984d1e38c9816ba2689c3@www.bartschnet.de> To: dane@ietf.org X-Mailer: Apple Mail (2.3124) Archived-At: Subject: Re: [dane] OpenSSL 1.1.0 released, supports DANE TLSA X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: dane@ietf.org List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Aug 2016 17:32:01 -0000 > On Aug 27, 2016, at 8:51 AM, Rene Renne Bartsch (rene@bartschnet.de) = wrote: >=20 > We should do some lobbying with browser vendors to get attention from = the masses. It will help DANE if requested by users. ;-) >=20 > What TLS-libraries do other browsers use? What other TLS-libraries = other than OpenSSL do support DANE-TLS? >=20 > Mozilla Firefox -> NSS > Google Chrome/Chromium -> BoringSSL Browsers are I think unlikely to support DANE quite yet. They probably need DNSSEC stapling standardized and implemented in HTTP servers (nginx, Apache, IIS, ...) before enabling DANE support in browsers is worth the effort. Browsers all too often find themselves in environments that are hostile to client DNSSEC access, so DANE without stapling is I think not an option for browsers now or for many years forward. --=20 Viktor. From nobody Mon Aug 29 06:28:24 2016 Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5298112D610 for ; Mon, 29 Aug 2016 06:28:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.449 X-Spam-Level: X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ncR5RBLsRRE for ; Mon, 29 Aug 2016 06:28:20 -0700 (PDT) Received: from polyanin.uvt.nl (polyanin.uvt.nl [IPv6:2001:610:1410:0:6584:7ef6:571d:a197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8138C12D0CF for ; Mon, 29 Aug 2016 06:28:20 -0700 (PDT) Received: by polyanin.uvt.nl (Postfix, from userid 117) id A2DF9C004E0; Mon, 29 Aug 2016 15:28:17 +0200 (CEST) Received: from localhost by polyanin (rewritefishurl); Mon, 29 Aug 2016 15:28:17 +0200 Received: from localhost (localhost [IPv6:::1]) by polyanin.uvt.nl (Postfix) with ESMTP id 9B335C000B2; Mon, 29 Aug 2016 15:28:17 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at uvt.nl X-Spam-Cookie: 24e1db5abe924699ea7b8c048a8a3f0c414bfe43 Received: from lambert.uvt.nl ([IPv6:2001:610:1410:0:55c7:8a48:39f2:4256]) by localhost (polyanin.uvt.nl [IPv6:2001:610:1410:0:6584:7ef6:571d:a197]) (amavisd-new, port 10024) with ESMTP id lcPlj0d5XctR; Mon, 29 Aug 2016 15:28:17 +0200 (CEST) Received: from [::1] (localhost [::1]) (Authenticated sender: cgielen) by lambert.uvt.nl (Postfix) with ESMTPSA id 75524880FC0 From: Casper Gielen To: dane@ietf.org References: <20160826013552.GR4670@mournblade.imrryr.org> Message-ID: Date: Mon, 29 Aug 2016 15:27:38 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160826013552.GR4670@mournblade.imrryr.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="gJMipjTGwBeEgKjsXCCAKjbeTwXK3n9vC" Archived-At: Subject: Re: [dane] Nudge DANE SMTP adoption at DNSSEC-signed MX hosting providers X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Aug 2016 13:28:23 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --gJMipjTGwBeEgKjsXCCAKjbeTwXK3n9vC Content-Type: multipart/mixed; boundary="c6ItJeBHFBr8JJHWbbLg6sgMmSv5VbO6O" From: Casper Gielen To: dane@ietf.org Cc: Viktor Dukhovni Message-ID: Subject: Re: [dane] Nudge DANE SMTP adoption at DNSSEC-signed MX hosting providers References: <20160826013552.GR4670@mournblade.imrryr.org> In-Reply-To: <20160826013552.GR4670@mournblade.imrryr.org> --c6ItJeBHFBr8JJHWbbLg6sgMmSv5VbO6O Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Hi there, uvt.nl here, we are working towards deploying DANE on all our zones and have most of the pieces in place. There's an issue with monitoring that needs to be fixed before we can go live. We expect to deploy before the end of the year, probably much sooner. --=20 Casper Gielen | LIS UNIX PGP fingerprint =3D 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7 Universiteit van Tilburg | Postbus 90153, 5000 LE Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl --c6ItJeBHFBr8JJHWbbLg6sgMmSv5VbO6O-- --gJMipjTGwBeEgKjsXCCAKjbeTwXK3n9vC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlfEOEoACgkQIhQIPPgOSvcLVACeMAfdzApCAh9SLCR8w6gKl9Ed FXwAni96tlZ+XBKkrXk32glopqv1ytc0 =OrZP -----END PGP SIGNATURE----- --gJMipjTGwBeEgKjsXCCAKjbeTwXK3n9vC--