ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] The DANE draft

2015-07-30 15:30:39
from [Simon Josefsson] [Permanent Link] 
Paul Wouters <paul(_at_)nohats(_dot_)ca> writes:


Here are some thoughts, anyway:

- Why a new DNS record despite that the CERT type has PGP support for
 9 years now (RFC-4398).

 The argument for a new record is that this makes parsing easier
 because there is no need to loop over the record's sub-types.  I do
 not consider it a valid argument because there is a need to loop
 anyway because there may be several DANE records for the same key.
 Adding an extra loop over the sub-types is a non-brainer and the
 selection logic to find the best matching record will be the same.


Using subtypes for DNS is something the DNS people in general have
concluded to be a wrong idea. As stated before, even Olafur who is one
of the authors of the CERT RRtype advised us not to use CERT (or
subtyping in general)


Then I believe that community should attempt to move RFC 2538/4398 to
historic.  I don't believe there is sufficient consensus for doing that
-- there is good use of CERT records already, although limited.


Additionally, because the CERT record is a meta-container record,
support for CERT is not good because to properly parse it you need
all of openpgp and all of x509 and all of what other subtypes would
be added later on. So instead of implementing CERT records partially,
many DNS implementations just did not bother with it at all.


I disagree -- CERT can be implemented without understanding any of
OpenPGP or X.509, and it is implemented by DNS software already.


 GnuPG has support for such CERT records including a script to create
 them also for about 9 years.  It is not widely used because most users
 have no way to add records to their zone - that is the same problem
 for DANE of course.


CERT wasn't widely used because frankly pgp is not widely used. Also,
CERT without DNSSEC makes no sense


This is false -- CERT makes a lot of sense without DNSSEC, as OpenPGP
keys can be verified through the web of trust.  I don't believe
comparing deployment sizes should be a deciding factor in this context,
but I disagree with your notion that OpenPGP is not widely used.

/Simon

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Followup on fingerprints, Vincent Breitmoser
Next by Date:  Re: [openpgp] Followup on fingerprints, Derek Atkins
Previous by Thread:  Re: [openpgp] The DANE draft, Olafur Gudmundsson
Next by Thread:  Re: [openpgp] The DANE draft, Stephen Farrell
Indexes:  [Date] [Thread] [Top] [All Lists]