On Sat, Jul 25, 2015 at 8:56 AM, Paul Wouters <paul(_at_)nohats(_dot_)ca> wrote:
Answering phb and dkg:
I looked at it with Petr Spacek after the meeting, and i plan on
providing Paul with a more detailed review shortly.
Greatly appreciated!
DANE is trying to do three different things. It is trying to be a key
discovery service, a security policy publication mechanism and a way
of validating keys using the DNSSEC.
I think this overview is accurate.
That's not how I see it. It is surely a discovery and distribution
system for keys. But it is not a policy publication mechanism. The
draft (carefully) does not tell you what you can or cannot do with the
key. Some people tried to propose this (mostly for smime) by having
different prefixes for _encrypt or _sign, but this was not adopted.
Again, you don't seem to understand the spec. 'MUST USE TLS' is one of the
purported benefits. Key pinning to a specific key is another. Those are
security policy.
I think those should be taken out of DANE but that hasn't happened yet as
far as I am aware.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp