Zitat von Martijn Brinkers <[email protected]>:
On 04/02/2014 02:23 PM, [email protected] wrote:i would like to know if there are any plans to get Djigzo fetching S/MIME certifiactes by DANE (https://datatracker.ietf.org/wg/dane/charter/) in the future?It's definitely something I'm interested in. However, I'm currently extremely busy finishing PGP support so I do not have any time for the coming weeks to even investigate what it takes to support this. I think the biggest issue is managing keys in DNS. DNSSEC is not yet widely supported (or am I wrong?) and DNSSEC is required. That said, it is something that is interesting to support because it might be helpful especially for gateway to gateway encryption. Kind regards, Martijn
It might be helpfull to check how TLSA is done in Postfix Release 2.11. They use DANE to get/verify TLS certificates with DNSSEC enabled domains (http://www.postfix.org/TLS_README.html#client_tls_dane). From my point of view the basics are as follow:
The application (Djigzo) need access to a nearby (localhost) validating resolver like for example Unbound across a "secure" channel. It must be able to ask DNS for matching SMIMEA records and check if the "AD" bit is set, so the DNSSEC part is already done. Furthermore the certificate usage field has to be checked how to procced with the data get from DNS. This is explained in the already published RFC-6698 for TLSA.
The issues with bringing the keys into the DNS is not the task of Djigzo IMHO, i have recently nagged the DNS guys with this to finally get DNSSEC for our zones ;-) Maybe this will even be the "killer-feature" to finally get more DNSSEC deployments.
BTW: The same schema also applies for PGP...Redefinition of DNS Authenticated Data (AD) bit : http://www.ietf.org/rfc/rfc3655.txt
Using Secure DNS to Associate Certificates with Domain Names For S/MIME : http://tools.ietf.org/html/draft-ietf-dane-smime-06
The Certificate Usage Field : http://tools.ietf.org/html/rfc6698#section-2.1Using DANE to Associate OpenPGP public keys with email addresses : http://tools.ietf.org/html/draft-wouters-dane-openpgp-02
Maybe we finally have the long searched for secure and automatic distribution of the needed keys for encryption...
Regards and many Thanks for providing Djigzo Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.djigzo.com/lists/listinfo/users
