Hi, On 04/06/2015 03:22 AM, Paul Hoffman wrote: > - Lookup of OpenPGP and S/MIME keys and certs in the DNS are > exact-match, following the DNS's database model. This is known to > possibly fail when the party looking up the address has a copy of the > email address different than what might be entered in the zone, such > as with different casing. There is no expectation in this design that > all variants that might be delivered to for a particular address will > have key records. This design keeps the security model > understandable: it's all authenticated just by DNSSEC.
Yes, if that is made explicit in the draft, it won't lead to false assumptions by implementors. The draft does need some information on UIDs on the keys and whether or not to match the recipients address against them. > - Discovery of delivery variants is better handled by a more flexible > protocol, such as WebFinger. In fact, instead of just looking for > variants and then coming back to the DNS to get the key, that > protocol can instead hand back the keys and certs directly in a > single response. The security model for that protocol would also be > simple: it's all authenticated by the TLS cert of the server. This > new protocol should probably be designed somewhere in the > Applications Area, not here, even though some of what is being > delivered are objects similar to what we are delivering here. Agreed, I started a write-up for a somewhat generic 'email metadata' lookup mechanism with the intention of grabbing OpenPGP and S/MIME data via webfinger. I hope to have an initial version done this week. > If folks agree with this proposal, we can move forwards with > draft-ietf-dane-openpgpkey pretty much as it is. (PaulW: you threw in > downcasing before hashing, which is definitely not what people agreed > to at the meeting.) For draft-ietf-dane-smime, we can then use the > same format and semantics, and add in the LDAP access model proposed > by Eric and Scott, which historically has never applied to OpenPGP. Yes, with the remarks above :). Regards, Pieter _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
