DANE WG Interim Virtual Meeting 2 December 2014 at 10:00am Eastern Thanks to Russ Housley and Doug Montgomery for taking notes. The DANE WG held a 1 hour interim virtual meeting to cover S/MIME usage. The agenda covers two Internet-Drafts: * draft-ietf-dane-smime * draft-osterweil-dane-ent-email-reqs Virtual Blue Sheet -------------------- Warren Kumari, Olafur Gudmundsson, Doug Montgomery, Victor Dukhovni, Allison Mankin, Eric Osterweil, Gowri (? Webex name), Jakob Schlyter, John Levine, Matthew Miller, Paul Hoffman, Russ Housley, S. Hugue, Scott Rose. Meeting called to order 10:05 Warren put the NOTE WELL on the WebEx screen, and he reminded everyone that the NOTE WELL applies to this meeting. No jabber scribe but room in use. draft-osterweil-dane-ent-email-reqs provides a way to find certificates for mail recipients that the sender has not previously obtained a certificate. Paul asked whether the certificate is always sent in the S/MIME message. This lead to a discussion of the ways that DANE could provide a certificate for a recipient that has a conflict in some way or another, including key usages that do not allow encryption or an expired certificate. Doug advocated for sufficient policy to unambiguously find the keys that are needed, even when a user has more than one for different purposes. He wants to be able to post encryption certificates with policy that says which applications can use it. The domain might allow the key to be used for file encryption but not S/MIME. Viktor points out that the look up label can contain some of these key attributes. Paul asked whether a DANE look up can be used to determine the applicability of a certificate that was obtained from another source. Viktor argued that we cannot specify an ordering of discovery protocols, especially when we do not know what might be defined in the future. Viktor also said that DANE should provide positive assertions. Doug wants a domain to be able to say some negative assertions, like some key cannot be used for S/MIME. Russ stated a concern that an address book will have to keep track of the origin of the certificate to know whether a subsequent DANE look up is needed before using a certificate fetched using DANE. Eric wants DANE to identify certificates to be used for a particular inbox. Viktor suggested that case sensitivity of the left-hand side of the email address should be addressed. Warren and Olafur asked for additional use cases to be sent to the DANE WG mail list. They also reminded everyone that there are two WG Last Calls in progress. Meeting closed at 11:00 Eastern time. Extra notes (did not combine them inline as it would have made it harder to read): a. Paul Hoffman : Are we expecting DANE/SMIME to change base SMIME behavior? b. Victor Dukhovni : Just changing CERT validation model, not the SMIME behavior beyond that. c. Paul Hoffman : Are we addressing conflicts between existing SMIME cert mechanisms. DANE SMIME usage conflicts with X.509 CERT? d. Warren Kumari : what if expired X.509. e. Doug Montgomery : want to be unambiguously be able to express the binding relationship between existing keying material and its usage in the specific context of SMIME in this domain (view). f. Victor Dukhovni : DANE usages are orthogonal. g. Victor Dukhovni : Whether or not PKIX specifies usages, DANE might refine the usages. h. Victor Dukhovni : Supports some means to distinguish signing vs encryption keys. i. Paul Hoffman : thinks we want to be able to refine service specific X.509 key usages. j. Victor Dukhovni : Only positive assertions. Not revocations. k. Doug Montgomery : Never meant to use DANE to revoke X.509 CERT, only reject its use in this context. l. Doug Montgomery : How to distinguish partial deployment from "lack of positive assertion"? Is the fact there is no SMIMEA record as statement of policy or just a transient of partial deployment. m. Russ Housley : New requirement to track how credentials are validated. n. Victor Dukhovni : Against invalidating a network identity. o. Russ Housley : How do we manage MUA address books with DANE? p. Victor Dukhovni : Need to address case sensitivity in email addresses. q. Victor Dukhovni : More use case examples coupled to the requirements. r. Warren Kumari : Supports the need for more use cases.