Minutes for DANE at interim-2014-dane-1
DNS-based Authentication of Named Entities
||Minutes for DANE at interim-2014-dane-1
DANE WG Interim Virtual Meeting
2 December 2014 at 10:00am Eastern
Thanks to Russ Housley and Doug Montgomery for taking notes.
The DANE WG held a 1 hour interim virtual meeting to cover S/MIME
usage. The agenda covers two Internet-Drafts:
Virtual Blue Sheet
Warren Kumari, Olafur Gudmundsson, Doug Montgomery, Victor Dukhovni, Allison
Mankin, Eric Osterweil, Gowri (? Webex name), Jakob Schlyter, John Levine,
Matthew Miller, Paul Hoffman, Russ Housley, S. Hugue, Scott Rose.
Meeting called to order 10:05
Warren put the NOTE WELL on the WebEx screen, and he reminded everyone
that the NOTE WELL applies to this meeting.
No jabber scribe but room in use.
draft-osterweil-dane-ent-email-reqs provides a way to find certificates
for mail recipients that the sender has not previously obtained a
Paul asked whether the certificate is always sent in the S/MIME message.
This lead to a discussion of the ways that DANE could provide a
certificate for a recipient that has a conflict in some way or another,
including key usages that do not allow encryption or an expired
Doug advocated for sufficient policy to unambiguously find the keys
that are needed, even when a user has more than one for different
purposes. He wants to be able to post encryption certificates with
policy that says which applications can use it. The domain might
allow the key to be used for file encryption but not S/MIME.
Viktor points out that the look up label can contain some of these
Paul asked whether a DANE look up can be used to determine the
applicability of a certificate that was obtained from another
Viktor argued that we cannot specify an ordering of discovery
protocols, especially when we do not know what might be defined
in the future. Viktor also said that DANE should provide positive
Doug wants a domain to be able to say some negative assertions, like
some key cannot be used for S/MIME.
Russ stated a concern that an address book will have to keep track of
the origin of the certificate to know whether a subsequent DANE look
up is needed before using a certificate fetched using DANE.
Eric wants DANE to identify certificates to be used for a particular
Viktor suggested that case sensitivity of the left-hand side of the
email address should be addressed.
Warren and Olafur asked for additional use cases to be sent to the
DANE WG mail list. They also reminded everyone that there are two
WG Last Calls in progress.
Meeting closed at 11:00 Eastern time.
Extra notes (did not combine them inline as it would have made it harder to
read): a. Paul Hoffman : Are we expecting DANE/SMIME to change base SMIME
behavior? b. Victor Dukhovni : Just changing CERT validation model, not the
SMIME behavior beyond that. c. Paul Hoffman : Are we addressing conflicts
between existing SMIME cert mechanisms. DANE SMIME usage conflicts with X.509
CERT? d. Warren Kumari : what if expired X.509. e. Doug Montgomery : want to be
unambiguously be able to express the binding relationship between existing
keying material and its usage in the specific context of SMIME in this domain
(view). f. Victor Dukhovni : DANE usages are orthogonal. g. Victor Dukhovni :
Whether or not PKIX specifies usages, DANE might refine the usages. h. Victor
Dukhovni : Supports some means to distinguish signing vs encryption keys. i.
Paul Hoffman : thinks we want to be able to refine service specific X.509 key
usages. j. Victor Dukhovni : Only positive assertions. Not revocations. k.
Doug Montgomery : Never meant to use DANE to revoke X.509 CERT, only reject its
use in this context. l. Doug Montgomery : How to distinguish partial deployment
from "lack of positive assertion"?
Is the fact there is no SMIMEA record as statement of policy or just a
transient of partial deployment.
m. Russ Housley : New requirement to track how credentials are validated.
n. Victor Dukhovni : Against invalidating a network identity.
o. Russ Housley : How do we manage MUA address books with DANE?
p. Victor Dukhovni : Need to address case sensitivity in email addresses.
q. Victor Dukhovni : More use case examples coupled to the requirements.
r. Warren Kumari : Supports the need for more use cases.