On Oct 26, 2013, at 1:32 PM, Phillip Hallam-Baker <[email protected]> wrote:
> I don't see much point in trying to couple DANE to PGP. > > I don't care about sending mail to cypherpunks.ca, I care about sending it > to Paul Wouters. > > Except in very rare instances where an individual controls the domain or if I > am sending to an enterprise, the domain is going to be pretty much irrelevant > to authenticating the key. > > Locking down the mailserver key with DANE makes prefect sense. In fact that > is the only reason I can see to do DNSSEC right now. Dear Phillip, Agreed. Allow me to expand. Who is communicating with whom should be considered private, but knowing which domain is sending data does not cause the same level of exposure when contained entities can be associated with different domains. While the actual entity sending a message might be encrypted, knowing the domain facilitating the exchange is the bare minimum needed to defend the services. No service can be allowed to issue messages anonymously. XMPP offers clues about how this is deployable at scale in DNS where dial-back techniques should be disabled: _xmpp-client._tcp.example.com. 36000 IN SRV 0 3 5222 xmpp.example.com. _xmpp-server._tcp.example.com. 36000 IN SRV 0 3 5269 xmpp.example.com. Unfortunately, major providers fail to ensure use of valid certificates and may only offer self-signed certificates where explicit exceptions need to be quietly made. Could this explain why a widely used IM client popular in Europe is likely obtained using HTTP? Things like DANE offer hope. Being unable to trust DNS or routing, it seems DANE offers a conceivable solution. I also agree with Albert Lunde about not embedding Turning-complete interpreters. It is amazing this is not seen as harmful from a security perspective. Perhaps the IETF could offer buttons and stickers for sale along with DNSSEC and DANE, or would that upset those not wanting to see anything change? :^) Regards, Douglas Otis There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any rate they could plug in your wire whenever they wanted to. You had to live-did live, from habit that became instinct-in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized. Excerpt from Chapter One of George Orwell's book _Nineteen_Eighty_Four_
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
