A few of us here at NIST have a proposal to float by the group:
We submitted an Internet-Draft on using a new DNS RRType to signal that all
email coming from the domain will be signed (proposed type is called
SMIMELOCK). So that when a client receives an email that lacks a SMIME
signature from a domain with the SMIMELOCK RR, it could be marked as suspect.
The draft is at:
https://datatracker.ietf.org/doc/draft-srose-smimelock/
However, we got to thinking that it might be better to include this as part of
the DMARC RDATA instead of a new RRType. Basically, the new component could be:
dmarc-smime = "smime" *WSP "=" *WSP
("all" / "partial" / "none")
Where:
"all" means all email originating from this domain contains a SMIME signature
"partial" means some email originating from this domain contain a SMIME
signature (used for incremental deployment as an example).
"none" means this domain does not issue SMIME certs.
Though the draft only has "all", we consider having other options for the
SMIMELOCK value might be useful. It's something that the community should
decide. As we see it, the pro of having it in the DMARC RR is that it reduces
the number of queries a client needs to make, and gets it deployed quicker (no
need to wait for DNS implementations to be able to understand the new RRType).
The downside of this is (we admit) that is it "mission creep" of DMARC to now
look at the contents of the message (at least for a SMIME sig) instead of just
the header.
So a question to the group: Is there enough interest to continue this idea and
start a more formal write-up? Or, as stated above, the DMARC RR is not the
quite right place for a domain to make this sort of statement on SMIME use?
Scott
===================================
Scott Rose
NIST
[email protected]
+1 301-975-8439
Google Voice: +1 571-249-3671
http://www.dnsops.gov/
===================================
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
