[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Please review OpenPGP part of RFC 2538bis

To: ietf-openpgp@xxxxxxx
Subject: Re: Please review OpenPGP part of RFC 2538bis
From: Simon Josefsson <jas@xxxxxxxxxxx>
Date: Wed, 01 Dec 2004 03:45:18 +0100
Cancel-lock: sha1:3ALmS4zO1tfmCLlwvh0Kl/pMK9g=
List-archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-id: <ietf-openpgp.imc.org>
List-unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
Openpgp: id=0xB565716F; url=http://josefsson.org/key.txt
References: <> <>
Sender: owner-ietf-openpgp@xxxxxxxxxxxx
User-agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.3.50 (gnu/linux)

Florian Weimer <fw@xxxxxxxxxxxxx> writes:

> * Simon Josefsson:
>
>> Is this correct?  Would it be useful to mention other kind of OpenPGP
>> data packets directly, as well?
>
> Why do you want to duplicate this information?

Are you saying any OpenPGP data in the CERT RR should be permitted?

I think RFC 2538 was unclear on this, but it seems clear that at least
it was intended to store self-signed OpenPGP keys.  Given that X.509
CRLs are supported by the same document, one could argue that OpenPGP
revocation certs should be permitted as well.  But any OpenPGP data?

The text currently says:

   Public keys can use the OpenPGP public key packet (tag 6) or public
   subkey packet (tag 14), as described in section 5.5 of [5].
   Revocation signatures can use an OpenPGP signature packet with a
   revocation signature type, i.e., signature type 0x20, 0x28 or 0x30,
   as described in section 5.2 of [5].

It was mostly meant to illustrate that OpenPGP data is sub-typed.

I don't have a preference, but I think the updated document should be
clear on exactly what kind of data may be stored in the RDATA portion.
Permitting any OpenPGP data may a simple solution.

>> Further, if someone has additional thoughts on he document, now would
>> be a good time to discuss them.
>
> $ gpg --export "68FD549F" | wc -c
> 88127
>
> Some OpenPGP certificates may have to be split across multiple
> resource records.  Maybe DNS isn't such a great place to store them
> after all. 8-/

This is certainly a problem.  The update should at least acknowledge
this.  There are some ideas on how to solve the problem in
draft-josefsson-cert-openpgp.txt, but I'm not sure it is a good idea.

> In the URI type, it would be nice if some hashes are included.  As a
> result, the protection offered by DNSSEC one day would extend to the
> referenced document.

That seem to be a good suggestion, I'll add it.

> NAPTR records offer an interesting perspective for mapping domains
> (and email address) to certificate references.  Such records could
> look like this one:
>
>   _openpgp.example.org IN NAPTR 10 10 "u" "PGP+D2U"
>     "!^(.*)@example.org$!http://ca.example.org/lookup.cgi?user=\\1!";

Right, but that is out of scope for 2538bis.

Thanks,
Simon

Follow-Ups:
- Re: Please review OpenPGP part of RFC 2538bis
  - From: Florian Weimer

References:
- Please review OpenPGP part of RFC 2538bis
  - From: Simon Josefsson
- Re: Please review OpenPGP part of RFC 2538bis
  - From: Florian Weimer

Prev by Date: Re: Please review OpenPGP part of RFC 2538bis
Next by Date: Re: Please review OpenPGP part of RFC 2538bis
Previous by thread: Re: Please review OpenPGP part of RFC 2538bis
Next by thread: Re: Please review OpenPGP part of RFC 2538bis
Index(es):
- Date
- Thread