Re: [dane] Draft charter
Patrick Ben Koetter <p@sys4.de> Mon, 12 May 2014 20:47 UTC
Return-Path: <p@sys4.de>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18A351A077F for <dane@ietfa.amsl.com>; Mon, 12 May 2014 13:47:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.302
X-Spam-Level:
X-Spam-Status: No, score=-2.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y8NqP02Hddbl for <dane@ietfa.amsl.com>; Mon, 12 May 2014 13:47:02 -0700 (PDT)
Received: from mail.sys4.de (mail.sys4.de [IPv6:2001:1578:400:111::7]) by ietfa.amsl.com (Postfix) with ESMTP id 495481A077A for <dane@ietf.org>; Mon, 12 May 2014 13:47:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sys4.de; h= in-reply-to:content-transfer-encoding:content-disposition :content-type:content-type:mime-version:references:message-id :subject:subject:from:from:date:date; s=mail201310; t= 1399927808; x=1401742209; bh=gRWAZTxI+rqd4jUqgpd3Sz05vxE7duwY38n Dqxrirdw=; b=xsVd4KPI7sauAZg9VgpfzMmaHmHmSieSDkCzHBlkk02u+8/Q1fD l0sb1E70tjR0Alkyw3SjfU4+R8luvOmN/0oNr7grfno2G1bMobCdnKXEGC65LdSv wUCkIGtuAwS5LSgpBZ+NMFyzSntqwHWWfsHQ/tPw45F1NqJRAPPLMUDrYQEYpoEl I6Bzc3HyOtc26D2c2Wq7igiHx4fQBXcbY8o2qLX/klrg9REE7fdad8U/wmOuFtPY hVWTFR8J62ghPMsDjeV+wRet9Re8gsg2Jyg7aUyjEhdTOaMgOttC+Q1kFmJ2AbwO U/APbjf6YnS0XMEUjHWISBdW0E+RQ/jnCLA==
X-Virus-Scanned: Debian amavisd-new at mail.sys4.de
Received: from sys4.de (178-27-27-26-dynip.superkabel.de [178.27.27.26]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.sys4.de (Postfix) with ESMTPSA id 3gSDmc0DYsz3qL for <dane@ietf.org>; Mon, 12 May 2014 22:50:08 +0200 (CEST)
Date: Mon, 12 May 2014 22:46:53 +0200
From: Patrick Ben Koetter <p@sys4.de>
To: dane@ietf.org
Message-ID: <20140512204653.GL24708@sys4.de>
References: <120CB7DD-9835-4842-9298-9AA0C0485085@ogud.com> <20140512192714.GI27883@mournblade.imrryr.org> <906FAD54-CD40-43EA-B1AD-8EF7B50FD294@ogud.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <906FAD54-CD40-43EA-B1AD-8EF7B50FD294@ogud.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/g1Jj8NQNVyyouI6ni8wBwWoXD3I
Subject: Re: [dane] Draft charter
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 May 2014 20:47:05 -0000
* Olafur Gudmundsson <ogud@ogud.com>: > Thank you Victor > > On May 12, 2014, at 3:27 PM, Viktor Dukhovni <viktor1dane@dukhovni.org> wrote: > > > On Mon, May 12, 2014 at 02:32:05PM -0400, Olafur Gudmundsson wrote: > > > >> Objective: > >> > >> ... > >> DANE functionality to their work. In addition the working group > >> will monitor and provide guidance to operators and tool developers. > >> will monitor and provide guidance to operators and tool developers. > > > > The above is a duplicate line. > > Fixed in version 03 to be posted soon > > > > >> The DANE working group has developed a framework for securely > >> retrieving keying information from the DNS [RFC6698]. This > >> framework allows secure storing and looking up public key > >> information in the DNS. This provides a binding between a domain > >> name providing a particular service and the key that can be used > >> to establish encrypted connection to that service. > > > > [ The below thoughts are likely too specific to rise to visibility > > in the charter, so are more likely fodder for 6698 revisions. ] > > > > The RFC6698-specified lookup key of _<port>._<proto>.<fqdn> is not > > universally applicable. It works OK for well known services such > > as SMTP on ports 25/587 or HTTPS on 443, but is not always well > > suited to environments in which service ports are dynamically > > registered. Also, sometimes the verifier wants to authenticate a > > TLS client acting on behalf of some domain in an appropriate > > capacity. > > > This also works well for services looked up via SRV records. > As the SRV contains the port number. > For a protocol that has some kind of other selector of port, still at the end of the day > the "Server" side has a "known-port" to the client, if the service moves from one port to another port OR > provides service on multiple ports then it is possible that the protocol definition for the DANE variant of that protocol can say > lookup of Authentication records is <Proto>FP at hostname. > > > Applications will in some use-cases need to agree on a lookup key > > that is not tied to a numeric port. It could be a service name or > > a client role. While a generic DANE TLS RFC (e.g. 6698) cannot > > anticipate or standardize such alternative lookup keys, a future > > update to 6698 should I think mention the need for such bindings, > > and encourage applications employing DANE TLSA to define appropriate > > alternative lookup keys. This could be of immediate benefit in > > XMPP to authenticate the origin of inbound traffic. > > > > Interesting are you you are saying we want to examine/specify client side DANE > records (right now DANE is all about server side records). I suggested that once to Viktor in an offlist mail, because I think a Receiver might also want to know, which Sender it talks to. Thesis: If I were a company to whom suppliers deliver work via email, I'd like to ensure its really them and not someome else, who sends me the production plan for some vital component. BTW: We run a mail gateway for suppliers who must deliver their work via TLS to their customers. The only way to enforce that is setting a policy on the sending side. I'd find a policy on the receiving side that incorporates DANE (if you can do it I require you to use it) attractive. Also for e.g. banks that need to exchange data between themselves. If encryption is vital there should be a mutual encryption policy. Each side should be able to enforce a policy that requires the other party to use encryption or transport will be rejected. +1 from my side if that helps to examine the usefulness of client side DANE. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
- [dane] Draft charter Olafur Gudmundsson
- Re: [dane] Draft charter Viktor Dukhovni
- Re: [dane] Draft charter Olafur Gudmundsson
- Re: [dane] Draft charter Viktor Dukhovni
- Re: [dane] Draft charter Patrick Ben Koetter
- Re: [dane] Draft charter Olafur Gudmundsson
- Re: [dane] Draft charter - client side DANE recor… Olle E. Johansson
- Re: [dane] Draft charter - client side DANE recor… Kim Alvefur
- Re: [dane] Draft charter - client side DANE recor… Viktor Dukhovni
- Re: [dane] Draft charter - client side DANE recor… Patrick Ben Koetter
- Re: [dane] Draft charter James Cloos
- Re: [dane] Draft charter - client side DANE recor… James Cloos
- Re: [dane] Draft charter - client side DANE recor… James Cloos
- Re: [dane] Draft charter - client side DANE recor… Viktor Dukhovni
- Re: [dane] Draft charter Olafur Gudmundsson
- Re: [dane] Draft charter Viktor Dukhovni
- Re: [dane] Draft charter - client side DANE recor… Andreas Schulze
- Re: [dane] Draft charter - client side DANE recor… Viktor Dukhovni
- Re: [dane] Draft charter - client side DANE recor… James Cloos
- Re: [dane] Draft charter - client side DANE recor… Andreas Schulze
- Re: [dane] Draft charter - client side DANE recor… Viktor Dukhovni
- Re: [dane] Draft charter Petr Spacek