Sounds like you are proposing this.

For what it is worth, I agree that u= sing the DNS to store per-user data is not a good approach. The DNS adminis= tration model is that it makes assertions about network names and not indiv= idual users. Previous attempts to put end users in the DNS have uniformly m= et with failure.

But that does not mean that LDAP is a useful tool. LDAP= has tons of complexity and none of it does the slightest bit of good.

While writing my RFC tool I thought abo= ut writing a spec for an Internet bibliography service that would convert l= abels [RFC4386] to XML documents describing the reference.

Then after a fairly short amount of work I realized tha= t I could do everything I wanted using HTTP and some simple regular express= ion pattern matching. And the regexp stuff was only necessary because I wan= ted to reuse the existing libraries of references at xml.resource.org.

So if you want to do per client records = my suggestion would be

1) Use HTTP as the query la= nguage transport.

2) Put some form of pointer to t= he service in the DNS.

3) Use DNSSEC to secure the binding

It might well be that (2) is a case where NAPTR would = be a good solution. Or it might not.

On Fri, Jul 26, 2013 at 10:19 AM, Rick v= an Rein (OpenFortress) <rick@openfortress.nl> wrote:
<= blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px= #ccc solid;padding-left:1ex"> Hello Paul Wouters,

I came across your work on storing public key credentials of users in the D= NS:
* draft-wouters-dane-openpgp-00
* draft-wouters-dane-otrfp-00
As I am currently trying to achieve similar, secure end-to-end exchanges of= public key material for secure communication, this is very interesting. = =A0Thanks for the work!

When I read them, I found that you made a choice that we deliberately aband= oned as unpractical, so I thought it good to share our thoughts. =A0The bac= kground of our work is http://networkeffectalliance.org/ with which we aim to get = more end user and technical facilities incorporated into hosting packages. = =A0Doing this, we are rather keen on privacy and security, as you are in yo= ur drafts.

We decided against the sort of options in DNS that you are describing becau= se we felt that the DNS is not meant for storing individual user credential= s. =A0One reason for this opinion is that DNS is ultimately treated public = data, and no DNS admin will accept responsibility for "leaking" i= nformation through DNS, whereas most users will not want that kind of treat= ment with their electronically addressable contact channels. =A0Another rea= son is that DNS management is usually considered too sensitive to update fo= r end user changes; which is why it is often in the hands of another (class= of) operator.

We are embarking in another direction, and thought this might also be usefu= l for you, also because it can be used without RFC work. =A0Instead of =A0u= sing DNS for user data, we are looking at LDAP (with DANE to secure it). = =A0It is a very suitable mechanism for retrieval of end-user descriptive in= formation, ranging from postalAddress to pgpKey descriptions. =A0It also ha= s a well-established notion of a Global Directory that is based on DNS-name= s derived from dc=3D,dc=3D trailers to distinguishedNames, and SRV record l= ookups of LDAP service under such domains. =A0Given an email address, the u= sername part can then be sought with (uid=3D=85) filtering, and PGP keys an= d such can be located under that node. =A0I am not aware of any XMPP profil= e for LDAP, but that is as straightforward to define as it has been for Ope= nPGP, SSH and even SRP. =A0It is probably easier to get such an LDAP attrib= ute spec standardised as an RFC or even just a XEP than your proposed use o= f DNS.

The searchable structured data in LDAP can have privacy issues when used as= a public-facing service when published without restraint; we are resolving= that with a filtering practice (for which we are developing software) that= can filter out considered-private attributes (or objects) unless their att= ribute values are explicitly mentioned in a query. =A0So, searching for (ui= d=3Drick) under dc=3Dopenfortress,dc=3Dnl would deliver my account record w= ith email address and SIP phone number as well as being a parent for key ma= terial, but searching for (uid=3D*) would not deliver this if I configured = LDAP to treat uid as too private to publish in that case. =A0Another reason= not to publish LDAP is that it is often used for data about local infra; t= his can be solved by separating in-house and public directory services.

If you want to know more about this work, you can visit this site with the = work in progress: http://rickywiki.vanrein.org/doku.php?id=3Dglobal= dir

Specifically note how, for OpenPGP, there is a solution that already works = with PGP tools -- they will perform that LDAP queries to per-domain LDAP se= rvice. I detailed it on the subpage http://rickywiki.vanr= ein.org/doku.php?id=3Dglobaldir-5-openpgp

I hope this is helpful!

Cheers,

Rick van Rein
OpenFortress
+31.53.4782239<= br> rick@openfortress.nl =A0 (SMTP,= XMPP, SIP)
_______________________________________________
dane mailing list
dane@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/dane

--
Website: http://hallambaker.com/

--089e0141a1fc584bc904e34be980-- From gnu@toad.com Tue Aug 6 18:06:38 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B58DC21F9D9C; Tue, 6 Aug 2013 18:06:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o7zhiweaB1+J; Tue, 6 Aug 2013 18:06:34 -0700 (PDT) Received: from new.toad.com (new.toad.com [209.237.225.253]) by ietfa.amsl.com (Postfix) with ESMTP id 8642621F9DAF; Tue, 6 Aug 2013 18:06:34 -0700 (PDT) Received: from new.toad.com (localhost.localdomain [127.0.0.1]) by new.toad.com (8.12.9/8.12.9) with ESMTP id r7716UgN004651; Tue, 6 Aug 2013 18:06:30 -0700 Message-Id: <201308070106.r7716UgN004651@new.toad.com> To: Phillip Hallam-Baker In-reply-to: References: <030F2A8C-1C25-4C91-88FD-C81AF44FA98E@openfortress.nl> Comments: In-reply-to Phillip Hallam-Baker message dated "Tue, 06 Aug 2013 14:51:23 -0400." Date: Tue, 06 Aug 2013 18:06:30 -0700 From: John Gilmore X-Mailman-Approved-At: Tue, 06 Aug 2013 22:58:50 -0700 Cc: "Rick van Rein $OpenFortress$" , "dane@ietf.org" , openpgp@ietf.org Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Aug 2013 01:06:39 -0000 > For what it is worth, I agree that using the DNS to store per-user data is > not a good approach. The DNS administration model is that it makes > assertions about network names and not individual users. Previous attempts > to put end users in the DNS have uniformly met with failure. > > But that does not mean that LDAP is a useful tool. LDAP has tons of > complexity and none of it does the slightest bit of good. The classic Internet protocol for providing per-user data is "finger", RFC 742 from 1977. (Note by the way the illustrious users in the "examples" section.) It has been updated a few times, most recently in RFC 1288 from 1991. It is a Draft Standard. Many people put their PGP public key in their .plan file for easy remote access via finger. Finger has two drawbacks for this purpose: It is not authenticated nor encrypted; and it is designed to be human-readable, not machine-readable. But a simple finger-like protocol, authenticated and encrypted via keys anchored in DNSSEC, might not only fill the need to obtain keys, but also offer a secured and machine-readable replacement for the finger protocol. > Sounds like you are proposing this. > http://www.ietf.org/rfc/rfc4386.txt Well, no. That just specifies a DNS RR for finding a server that includes X.509 stuff. It doesn't define a protocol for getting the stuff from that server, nor is it generic to information beyond X.509. >> * draft-wouters-dane-openpgp-00 >> * draft-wouters-dane-otrfp-00 These actually specify how to get authenticated key material from the DNS. (However, they don't encrypt the DNS transaction, so the identity of the user being communicated with is leaked to NSA and any other wiretappers...) John From mcr@sandelman.ca Tue Aug 6 19:49:37 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C80721E80B5; Tue, 6 Aug 2013 19:49:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.522 X-Spam-Level: X-Spam-Status: No, score=-2.522 tagged_above=-999 required=5 tests=[AWL=0.077, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gyjiAPIryeDx; Tue, 6 Aug 2013 19:49:32 -0700 (PDT) Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3::184]) by ietfa.amsl.com (Postfix) with ESMTP id D7B3421E80C1; Tue, 6 Aug 2013 19:49:31 -0700 (PDT) Received: from sandelman.ca (desk.marajade.sandelman.ca [209.87.252.247]) by tuna.sandelman.ca (Postfix) with ESMTP id CD79820172; Tue, 6 Aug 2013 23:55:58 -0400 (EDT) Received: by sandelman.ca (Postfix, from userid 179) id EC85BA904C; Tue, 6 Aug 2013 22:48:01 -0400 (EDT) Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id D6A49B8EA6; Tue, 6 Aug 2013 22:48:01 -0400 (EDT) From: Michael Richardson To: John Gilmore In-Reply-To: <201308070106.r7716UgN004651@new.toad.com> References: <030F2A8C-1C25-4C91-88FD-C81AF44FA98E@openfortress.nl> <201308070106.r7716UgN004651@new.toad.com> X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Sender: mcr@sandelman.ca X-Mailman-Approved-At: Tue, 06 Aug 2013 22:58:50 -0700 Cc: openpgp@ietf.org, "Rick van Rein $OpenFortress$" , Phillip Hallam-Baker , "dane@ietf.org" Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Aug 2013 02:49:37 -0000 --=-=-= John Gilmore wrote: >> For what it is worth, I agree that using the DNS to store per-user data is >> not a good approach. The DNS administration model is that it makes >> assertions about network names and not individual users. Previous attempts >> to put end users in the DNS have uniformly met with failure. >> >> But that does not mean that LDAP is a useful tool. LDAP has tons of >> complexity and none of it does the slightest bit of good. > The classic Internet protocol for providing per-user data is "finger", > RFC 742 from 1977. (Note by the way the illustrious users in the > "examples" section.) It has been updated a few times, most recently > in RFC 1288 from 1991. It is a Draft Standard. Many people put their > PGP public key in their .plan file for easy remote access via finger. > Finger has two drawbacks for this purpose: It is not authenticated nor > encrypted; and it is designed to be human-readable, not > machine-readable. But a simple finger-like protocol, authenticated > and encrypted via keys anchored in DNSSEC, might not only fill the > need to obtain keys, but also offer a secured and machine-readable > replacement for the finger protocol. Alas, finger ignores the MX records, and the standard client does not pass the entire command line argument in the query (making multi-tenant hard). This effectively means that one has to run the fingerd on the web server, as many want "example.com" to answer the same as "www.example.com", and HTTP doesn't do SRV lookup either. If finger could be updated to look up a SRV RR to find the finger server, it would be very so much easier to deploy. Given IPv6, putting a unique IP address per hosted domain isn't so terrible, but having % finger user@example.com send "user@example.com" as it's query would help too. I frankly think that having per-user data in DNS is not a horrible thing. It is true that the DNS administrators often will not like this, but as was pointed out in a WG session last week, many them will respond to a request like: "please insert user.example.com IN NS ns1.user.example.com" even when they don't understand: "please delegate user.example.com to ns1.user.example.com" (yes, you can finger me for keys to check this message. John convinced me it the utility 15 years ago.) -- Michael Richardson , Sandelman Software Works --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQCVAwUBUgG1X4qHRg3pndX9AQJcCAP/aPGikznbKpMgLvTQN/abkoo8jGiu4dAU rLcKyVy9/YlRYZMcg+LrRdeCGJnuIlpmE2j7FIyFdkREXDgk7H9XCedl3iZ++QXz 1VbkxY5Rh9dWE44SLbiy1vZ3xcTXo1CibN9cTsuxRBEz3yHSarHYEFkQ+oKVwbtQ zi3mlfWh+Gc= =5+EL -----END PGP SIGNATURE----- --=-=-=-- From marka@isc.org Tue Aug 6 20:10:04 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A526821F9A0C; Tue, 6 Aug 2013 20:10:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.482 X-Spam-Level: X-Spam-Status: No, score=-2.482 tagged_above=-999 required=5 tests=[AWL=0.117, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LDi5HdZrqqSl; Tue, 6 Aug 2013 20:09:58 -0700 (PDT) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id C4F8221F9A1C; Tue, 6 Aug 2013 20:09:54 -0700 (PDT) Received: from mx.pao1.isc.org (localhost [127.0.0.1]) by mx.pao1.isc.org (Postfix) with ESMTP id A3271C948E; Wed, 7 Aug 2013 03:09:16 +0000 (UTC) (envelope-from marka@isc.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1375844993; bh=rV3w1l26c7cVuyctCvcvawM3wTvSazWuzeunCvzJqg4=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=ViBkdT3Y0+TpnQIX1FhsfzrJBevkki3G6AP6gsf3u0TVdl9+P/bldI0UmSkSDNwva zjMbqq0bCHeY1z6JOWkDZfrA/qGB31o2Ns+MbqUWfcyUhN9dvNjG2p1AqYB9ZLLIcA /TSSt/D2wMZopL1SwFrq6VrR/+XSVFZVCKmTkPn8= Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP; Wed, 7 Aug 2013 03:09:16 +0000 (UTC) (envelope-from marka@isc.org) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id B226616037C; Wed, 7 Aug 2013 03:13:30 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id FpDWHKe_4u9A; Wed, 7 Aug 2013 03:13:26 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 1B80A16037A; Wed, 7 Aug 2013 03:13:26 +0000 (UTC) Received: from drugs.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id A66A1160082; Wed, 7 Aug 2013 03:13:25 +0000 (UTC) Received: from drugs.dv.isc.org (localhost [IPv6:::1]) by drugs.dv.isc.org (Postfix) with ESMTP id A569C3814077; Wed, 7 Aug 2013 13:09:09 +1000 (EST) To: Michael Richardson From: Mark Andrews References: <030F2A8C-1C25-4C91-88FD-C81AF44FA98E@openfortress.nl> <201308070106.r7716UgN004651@new.toad.com> <30532.1375843681@sandelman.ca> In-reply-to: Your message of "Tue, 06 Aug 2013 22:48:01 -0400." <30532.1375843681@sandelman.ca> Date: Wed, 07 Aug 2013 13:09:09 +1000 Message-Id: <20130807030909.A569C3814077@drugs.dv.isc.org> X-DCC--Metrics: post.isc.org; whitelist X-Mailman-Approved-At: Tue, 06 Aug 2013 22:58:50 -0700 Cc: "Rick van Rein $OpenFortress$" , openpgp@ietf.org, John Gilmore , "dane@ietf.org" Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Aug 2013 03:10:04 -0000 > John Gilmore wrote: > >> For what it is worth, I agree that using the DNS to store per-user data is > >> not a good approach. The DNS administration model is that it makes > >> assertions about network names and not individual users. Previous attempts > >> to put end users in the DNS have uniformly met with failure. > >> > >> But that does not mean that LDAP is a useful tool. LDAP has tons of > >> complexity and none of it does the slightest bit of good. > > > The classic Internet protocol for providing per-user data is "finger", > > RFC 742 from 1977. (Note by the way the illustrious users in the > > "examples" section.) It has been updated a few times, most recently > > in RFC 1288 from 1991. It is a Draft Standard. Many people put their > > PGP public key in their .plan file for easy remote access via finger. > > > Finger has two drawbacks for this purpose: It is not authenticated nor > > encrypted; and it is designed to be human-readable, not > > machine-readable. But a simple finger-like protocol, authenticated > > and encrypted via keys anchored in DNSSEC, might not only fill the > > need to obtain keys, but also offer a secured and machine-readable > > replacement for the finger protocol. > > Alas, finger ignores the MX records, and the standard client does not pass > the entire command line argument in the query (making multi-tenant hard). > > This effectively means that one has to run the fingerd on the web server, > as many want "example.com" to answer the same as "www.example.com", and HTTP > doesn't do SRV lookup either. > > If finger could be updated to look up a SRV RR to find the finger server, > it would be very so much easier to deploy. Given IPv6, putting a unique IP > address per hosted domain isn't so terrible, but having > % finger user@example.com > > send "user@example.com" as it's query would help too. > > I frankly think that having per-user data in DNS is not a horrible thing. > It is true that the DNS administrators often will not like this, but as was > pointed out in a WG session last week, many them will respond to a request > like: > "please insert > user.example.com IN NS ns1.user.example.com" > > even when they don't understand: > "please delegate user.example.com to ns1.user.example.com" > > (yes, you can finger me for keys to check this message. John convinced me it > the utility 15 years ago.) > > -- > Michael Richardson , Sandelman Software Works DNS mailbox format for users is just plain wrong. It results in namespace collisions between users and hosts which has all sorts of implications on delegations. Additionally DNS name normalisation is nowhere near similar to the normalisation used for user names in mail servers so even if you addressed the namespace collision there are still major problem. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From rick@openfortress.nl Tue Aug 6 23:31:29 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9F1021E8051; Tue, 6 Aug 2013 23:31:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.354 X-Spam-Level: X-Spam-Status: No, score=-0.354 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R--3UINaY78N; Tue, 6 Aug 2013 23:31:23 -0700 (PDT) Received: from smtp-vbr13.xs4all.nl (smtp-vbr13.xs4all.nl [194.109.24.33]) by ietfa.amsl.com (Postfix) with ESMTP id 5049321F9FBD; Tue, 6 Aug 2013 23:31:16 -0700 (PDT) Received: from [10.0.1.225] (phantom.vanrein.org [83.161.146.46]) (authenticated bits=0) by smtp-vbr13.xs4all.nl (8.13.8/8.13.8) with ESMTP id r776V9wB073172 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 7 Aug 2013 08:31:10 +0200 (CEST) (envelope-from rick@openfortress.nl) Mime-Version: 1.0 (Mac OS X Mail 6.5 $1508$) Content-Type: text/plain; charset=us-ascii From: "Rick van Rein (OpenFortress)" In-Reply-To: <30532.1375843681@sandelman.ca> Date: Wed, 7 Aug 2013 08:31:08 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <030F2A8C-1C25-4C91-88FD-C81AF44FA98E@openfortress.nl> <201308070106.r7716UgN004651@new.toad.com> <30532.1375843681@sandelman.ca> To: Michael Richardson X-Mailer: Apple Mail (2.1508) X-Virus-Scanned: by XS4ALL Virus Scanner X-Mailman-Approved-At: Wed, 07 Aug 2013 00:05:32 -0700 Cc: openpgp@ietf.org, Phillip Hallam-Baker , John Gilmore , "dane@ietf.org" Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Aug 2013 06:31:30 -0000 Hello, >> The classic Internet protocol for providing per-user data is = "finger", >> RFC 742 from 1977. Love it. My first play with redundant/reliable hosting was = "fingerhosting", which achieved 99.9999% uptime due to tripple servers of 99% each :) >> Finger has two drawbacks for this purpose: It is not authenticated = nor >> encrypted; Yes, so it is purely there for public data. For such data, it's = better-positioned user data than DNS. >> and it is designed to be human-readable, not >> machine-readable. That ought to be good for some degree of privacy ;-) but this is why so = many attempts are made to structure data in DNS but why I prefer LDAP = with its large set of predefined techniques and formats -- and it's = openness for DIY specs that won't clash due to the use of ASN1 OIDs. I wouldn't mind seeing http://user@domain/ step into this cavity BTW -- = HTTP must be the only protocol on the planet (well, sort of) that does = not support usernames, and we are using this pattern very, very often = nowadays. > Given IPv6, putting a unique IP > address per hosted domain isn't so terrible, but having > % finger user@example.com This would be an operational impossibility I fear. If people need to = get an IPv6 address per user to be able to run finger, then no admin = will support it. "Just use WebFinger", I can hear them say. WebFinger by the way, is too far up the stack IMHO -- it queries the = .well-known directory on a webserver, fills in a pattern and does a = query. Sounds more like DNS stuff to me, and a good application for = http://user@domain/ -- the other obvious beneficiary being OpenID. This = might call for a SRV record of some kind in the DNS -- or an NAPTR. > (yes, you can finger me for keys to check this message. John convinced = me it > the utility 15 years ago.) Wonderful :) If there were more like you it'd be the = IPv6-added-value-showcase that could help the transport concur the World = ;-) -Rick= From rick@openfortress.nl Thu Aug 8 12:56:53 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 630A721F8AA1; Thu, 8 Aug 2013 12:56:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.429 X-Spam-Level: X-Spam-Status: No, score=-0.429 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vdVW-P4wOm1J; Thu, 8 Aug 2013 12:56:24 -0700 (PDT) Received: from smtp-vbr14.xs4all.nl (smtp-vbr14.xs4all.nl [194.109.24.34]) by ietfa.amsl.com (Postfix) with ESMTP id A8D9A11E8219; Thu, 8 Aug 2013 12:56:02 -0700 (PDT) Received: from [10.0.1.225] (phantom.vanrein.org [83.161.146.46]) (authenticated bits=0) by smtp-vbr14.xs4all.nl (8.13.8/8.13.8) with ESMTP id r78JtmqC075505 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 8 Aug 2013 21:55:50 +0200 (CEST) (envelope-from rick@openfortress.nl) Mime-Version: 1.0 (Mac OS X Mail 6.5 $1508$) Content-Type: text/plain; charset=windows-1252 From: "Rick van Rein (OpenFortress)" In-Reply-To: Date: Thu, 8 Aug 2013 21:55:48 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <530909EF-59D1-47F7-AA29-47A69F4C37C4@openfortress.nl> References: <030F2A8C-1C25-4C91-88FD-C81AF44FA98E@openfortress.nl> <201308070106.r7716UgN004651@new.toad.com> To: Paul Wouters X-Mailer: Apple Mail (2.1508) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: openpgp@ietf.org, Phillip Hallam-Baker , John Gilmore , "dane@ietf.org" Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Aug 2013 19:56:54 -0000 Ah! > I would suggest we address DNS query privacy in a generic way for all = DNS, I feel a proposal towards DNS over TLS [1] coming up ;-) -Rick [1] The hard way, even=85 first negotiating ANON-DH, then doing a secure = renegotiation to obtain the identity of the remote server, and finally = retrieving the data requested.= From paul@cypherpunks.ca Thu Aug 8 12:45:01 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38E1511E820C; Thu, 8 Aug 2013 12:45:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.67 X-Spam-Level: X-Spam-Status: No, score=-1.67 tagged_above=-999 required=5 tests=[AWL=-0.930, BAYES_20=-0.74] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BK-lrVSUOY7a; Thu, 8 Aug 2013 12:44:55 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) by ietfa.amsl.com (Postfix) with ESMTP id 56A4711E820D; Thu, 8 Aug 2013 12:44:54 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3cB0R65FYlz47F; Thu, 8 Aug 2013 15:44:50 -0400 (EDT) X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id UnGSUa1YaXQK; Thu, 8 Aug 2013 15:44:49 -0400 (EDT) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by mx.nohats.ca (Postfix) with ESMTP; Thu, 8 Aug 2013 15:44:48 -0400 (EDT) Received: by bofh.nohats.ca (Postfix, from userid 500) id E3F2E80EC9; Thu, 8 Aug 2013 15:44:49 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id D686380E8F; Thu, 8 Aug 2013 15:44:49 -0400 (EDT) Date: Thu, 8 Aug 2013 15:44:49 -0400 (EDT) From: Paul Wouters X-X-Sender: paul@bofh.nohats.ca To: John Gilmore In-Reply-To: <201308070106.r7716UgN004651@new.toad.com> Message-ID: References: <030F2A8C-1C25-4C91-88FD-C81AF44FA98E@openfortress.nl> <201308070106.r7716UgN004651@new.toad.com> User-Agent: Alpine 2.10 (LFD 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Mailman-Approved-At: Thu, 08 Aug 2013 13:29:54 -0700 Cc: openpgp@ietf.org, "Rick van Rein $OpenFortress$" , Phillip Hallam-Baker , "dane@ietf.org" Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Aug 2013 19:45:01 -0000 On Tue, 6 Aug 2013, John Gilmore wrote: >>> * draft-wouters-dane-openpgp-00 >>> * draft-wouters-dane-otrfp-00 > > These actually specify how to get authenticated key material from the > DNS. (However, they don't encrypt the DNS transaction, so the > identity of the user being communicated with is leaked to NSA and > any other wiretappers...) I would suggest we address DNS query privacy in a generic way for all DNS, although even if you just encrypt, it might not be enough when the adversary has so many listening points, and the user immediately uses the DNS information for another action (eg an IM message or sending an email) Paul From iang@iang.org Fri Aug 9 01:43:22 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E45921F9E36 for ; Fri, 9 Aug 2013 01:43:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.299 X-Spam-Level: X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 58yyWWGcgqsx for ; Fri, 9 Aug 2013 01:43:09 -0700 (PDT) Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) by ietfa.amsl.com (Postfix) with ESMTP id F1DD021F9ADA for ; Fri, 9 Aug 2013 01:43:08 -0700 (PDT) Received: from tormenta.local (www2.futureware.at [78.41.115.142]) by virulha.pair.com (Postfix) with ESMTPSA id CC3C46D4A7; Fri, 9 Aug 2013 04:42:55 -0400 (EDT) Message-ID: <5204AB8E.8020309@iang.org> Date: Fri, 09 Aug 2013 11:42:54 +0300 From: ianG User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: openpgp@ietf.org References: <030F2A8C-1C25-4C91-88FD-C81AF44FA98E@openfortress.nl> <201308070106.r7716UgN004651@new.toad.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Aug 2013 08:43:22 -0000 On 8/08/13 22:44 PM, Paul Wouters wrote: > On Tue, 6 Aug 2013, John Gilmore wrote: > >>>> * draft-wouters-dane-openpgp-00 >>>> * draft-wouters-dane-otrfp-00 >> >> These actually specify how to get authenticated key material from the >> DNS. Would they work? (yes, asking for forgiveness for not reading them here...) > (However, they don't encrypt the DNS transaction, so the >> identity of the user being communicated with is leaked to NSA and >> any other wiretappers...) > > I would suggest we address DNS query privacy in a generic way for all > DNS, although even if you just encrypt, it might not be enough when the > adversary has so many listening points, and the user immediately uses > the DNS information for another action (eg an IM message or sending an > email) If I was the NSA, I'd make sure that people were focussed on solving the entire encryption and traffic analysis problem. Complete solution, end to end, with lots of options. I'd fight like hell to stop them just solving the authentication problem. iang From benlaurie@gmail.com Fri Aug 9 08:00:47 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E9FF21F99DC; Fri, 9 Aug 2013 08:00:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.978 X-Spam-Level: X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GofO3WCmnQDO; Fri, 9 Aug 2013 08:00:46 -0700 (PDT) Received: from mail-qe0-x233.google.com (mail-qe0-x233.google.com [IPv6:2607:f8b0:400d:c02::233]) by ietfa.amsl.com (Postfix) with ESMTP id 1868D21E80A7; Fri, 9 Aug 2013 07:56:01 -0700 (PDT) Received: by mail-qe0-f51.google.com with SMTP id nd7so2380111qeb.38 for ; Fri, 09 Aug 2013 07:56:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=GAP2OeYJB2B1gK0MUZzpvDPFr9T5EjONvZJwayGr460=; b=dF0ExLxPvgAEH+GaP1zzmHVn7yWo0C1X7s4NRXmIBCwgbSyupZ/PIKTGBeDHtdl4zI bwXZ07sTxsDvseL9bsYFfDYc76Wceu4wNOktLc5rn0k5WMmuIvKCjlL4NyPHi/Rmr4n4 PmX5RKkz1z9qCvFMCCGGqqYRDvaWNB0czUc7G8NFBAdXiBSyAR/9UBxhIclu0trDjruV GGvizhRvoiQ6Cplqhxzn1MX2MPSOfELQeHBtsPXO4yeEEto/erQYl5cIHrcnAzw43WJ1 +g8qw9JlnOqtwwX6yu54cSu0hQNgsDWp8mR0fZYCEXHufPLh2QDJjocJFNkd0hpHr87n t9mw== MIME-Version: 1.0 X-Received: by 10.49.105.36 with SMTP id gj4mr1019881qeb.56.1376060160535; Fri, 09 Aug 2013 07:56:00 -0700 (PDT) Sender: benlaurie@gmail.com Received: by 10.49.4.227 with HTTP; Fri, 9 Aug 2013 07:56:00 -0700 (PDT) In-Reply-To: <201308070106.r7716UgN004651@new.toad.com> References: <030F2A8C-1C25-4C91-88FD-C81AF44FA98E@openfortress.nl> <201308070106.r7716UgN004651@new.toad.com> Date: Fri, 9 Aug 2013 15:56:00 +0100 X-Google-Sender-Auth: DffmglOJSPol_xfLy5jIdcQlBIA Message-ID: From: Ben Laurie To: John Gilmore Content-Type: text/plain; charset=ISO-8859-1 Cc: openpgp@ietf.org, "Rick van Rein $OpenFortress$" , Phillip Hallam-Baker , "dane@ietf.org" Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Aug 2013 15:00:47 -0000 On 7 August 2013 02:06, John Gilmore wrote: >> For what it is worth, I agree that using the DNS to store per-user data is >> not a good approach. The DNS administration model is that it makes >> assertions about network names and not individual users. Previous attempts >> to put end users in the DNS have uniformly met with failure. >> >> But that does not mean that LDAP is a useful tool. LDAP has tons of >> complexity and none of it does the slightest bit of good. > > The classic Internet protocol for providing per-user data is "finger", > RFC 742 from 1977. (Note by the way the illustrious users in the > "examples" section.) It has been updated a few times, most recently > in RFC 1288 from 1991. It is a Draft Standard. Many people put their > PGP public key in their .plan file for easy remote access via finger. > > Finger has two drawbacks for this purpose: It is not authenticated nor > encrypted; and it is designed to be human-readable, not > machine-readable. But a simple finger-like protocol, authenticated > and encrypted via keys anchored in DNSSEC, might not only fill the > need to obtain keys, but also offer a secured and machine-readable > replacement for the finger protocol. https://datatracker.ietf.org/doc/draft-ietf-appsawg-webfinger/ > >> Sounds like you are proposing this. >> http://www.ietf.org/rfc/rfc4386.txt > > Well, no. That just specifies a DNS RR for finding a server that > includes X.509 stuff. It doesn't define a protocol for getting the > stuff from that server, nor is it generic to information beyond X.509. > >>> * draft-wouters-dane-openpgp-00 >>> * draft-wouters-dane-otrfp-00 > > These actually specify how to get authenticated key material from the > DNS. (However, they don't encrypt the DNS transaction, so the > identity of the user being communicated with is leaked to NSA and > any other wiretappers...) > > John > _______________________________________________ > openpgp mailing list > openpgp@ietf.org > https://www.ietf.org/mailman/listinfo/openpgp From paul@cypherpunks.ca Fri Aug 9 13:00:05 2013 Return-Path: X-Original-To: openpgp@ietfa.amsl.com Delivered-To: openpgp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E6D211E81B1; Fri, 9 Aug 2013 13:00:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.134 X-Spam-Level: X-Spam-Status: No, score=-2.134 tagged_above=-999 required=5 tests=[AWL=0.465, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iBt4nfFXJp+x; Fri, 9 Aug 2013 13:00:00 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) by ietfa.amsl.com (Postfix) with ESMTP id 0994D21F9C7E; Fri, 9 Aug 2013 12:52:08 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3cBcXy6GnGz9bF; Fri, 9 Aug 2013 15:52:02 -0400 (EDT) X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id QCAr6bWPUvYl; Fri, 9 Aug 2013 15:52:01 -0400 (EDT) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by mx.nohats.ca (Postfix) with ESMTP; Fri, 9 Aug 2013 15:52:01 -0400 (EDT) Received: by bofh.nohats.ca (Postfix, from userid 500) id 93A1480EC9; Fri, 9 Aug 2013 15:52:02 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 863E280E8F; Fri, 9 Aug 2013 15:52:02 -0400 (EDT) Date: Fri, 9 Aug 2013 15:52:02 -0400 (EDT) From: Paul Wouters X-X-Sender: paul@bofh.nohats.ca To: Ben Laurie In-Reply-To: Message-ID: References: <030F2A8C-1C25-4C91-88FD-C81AF44FA98E@openfortress.nl> <201308070106.r7716UgN004651@new.toad.com> User-Agent: Alpine 2.10 (LFD 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Cc: "Rick van Rein $OpenFortress$" , openpgp@ietf.org, Phillip Hallam-Baker , John Gilmore , "dane@ietf.org" Subject: Re: [openpgp] [dane] Storing public keys in DNS or LDAP, or elsewhere X-BeenThere: openpgp@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Ongoing discussion of OpenPGP issues." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Aug 2013 20:00:05 -0000 On Fri, 9 Aug 2013, Ben Laurie wrote: > https://datatracker.ietf.org/doc/draft-ietf-appsawg-webfinger/ To get back somewhat to the openpgpkey dns record type.... The CERT record (RFC-4398) has a type for PGP (data is key blob) and iPGP (data is URI pointer) http://tools.ietf.org/html/rfc4398#section-2.1 Perhaps the openpgpkey draft can be generalised and obsolete RFC4398. It would allow storing user PKIX certificates in DNS as well pgp keys (or URI's to these respectively) Paul