On Thu, Jul 02, 2015 at 11:02:17AM +0200, Carsten Strotmann wrote:
Would it be possible to at least update the SMIME draft with the latest
changes on OPENPGPKEY, and get a DNS type code for SMIMEA records from
IANA, before sending the draft to sleep?
I don't think that's a good plan. Once
Hi
I see that our milestones still contain a DANE with IPsec document, although
the WG has not yet discussed or adopted such a document.
There is one proposed document (draft-osterweil-dane-ipsec). That one ties DANE
to opportunistic encryption. While interesting, I think we need a far more
On Thu, Jul 02, 2015 at 10:34:02AM -0400, Paul Wouters wrote:
On Thu, 2 Jul 2015, Viktor Dukhovni wrote:
So for me, the main obstacle is still the owner-label, which is
the same for both OPENPGP and SMIMEA.
No one has given me feedback (positive or negative) on the lowercase if
ascii,
Am 02.07.2015 um 17:17 schrieb Patrick Ben Koetter p...@sys4.de:
We've just released smilla, a SMIMEA aware milter. smilla implements
draft-ietf-dane-smime as specified by the IETF DANE WG.
The program has been written in Python. It has been in production since April
2015 at some ISPs
On Thu, 2 Jul 2015, Viktor Dukhovni wrote:
The IPsec entity will resolve this FQDN with DNSSEC, yielding both an IP
address and a DANE record. The DANE record can be used to identify the
certificate or raw public key used in IKE.
What prevents IP address hijacking (mallory.example publishes
On 7/2/15 8:34 AM, Paul Wouters wrote:
On Thu, 2 Jul 2015, Viktor Dukhovni wrote:
So for me, the main obstacle is still the owner-label, which is
the same for both OPENPGP and SMIMEA.
No one has given me feedback (positive or negative) on the lowercase if
ascii, normalise otherwise, then
We've just released smilla, a SMIMEA aware milter. smilla implements
draft-ietf-dane-smime as specified by the IETF DANE WG.
The program has been written in Python. It has been in production since April
2015 at some ISPs and is considered stable.
At the moment it uses a generic DNS RR. This will
On Thu, Jul 02, 2015 at 06:40:45PM +0300, Yoav Nir wrote:
What prevents IP address hijacking (mallory.example publishes
alice.example's IP address and now mallory's IPSEC keys are used
to encrypt traffic to alice)?
Not sure I follow. Mallory publishes
- mallory.example.com IN A
On Jul 2, 2015, at 6:03 PM, Viktor Dukhovni ietf-d...@dukhovni.org wrote:
On Thu, Jul 02, 2015 at 05:13:01PM +0300, Yoav Nir wrote:
The IPsec entity will resolve this FQDN with DNSSEC, yielding both an IP
address and a DANE record. The DANE record can be used to identify the
certificate
On Jul 2, 2015, at 6:48 PM, Viktor Dukhovni ietf-d...@dukhovni.org wrote:
On Thu, Jul 02, 2015 at 06:40:45PM +0300, Yoav Nir wrote:
What prevents IP address hijacking (mallory.example publishes
alice.example's IP address and now mallory's IPSEC keys are used
to encrypt traffic to alice)?
On Jul 2, 2015, at 8:08 PM, Viktor Dukhovni ietf-d...@dukhovni.org wrote:
On Thu, Jul 02, 2015 at 08:04:37PM +0300, Yoav Nir wrote:
Not sure I follow. Mallory publishes
- mallory.example.com IN A 192.0.2.5
- mallory.example.com IN TLSA
Mallory publishes her own TLSA record for
On Fri, Jul 3, 2015 at 1:47 AM, Peter Saint-Andre - yet pe...@andyet.net
wrote:
On 7/2/15 8:34 AM, Paul Wouters wrote:
On Thu, 2 Jul 2015, Viktor Dukhovni wrote:
So for me, the main obstacle is still the owner-label, which is
the same for both OPENPGP and SMIMEA.
No one has given me
On Thu, Jul 02, 2015 at 09:02:03PM +0300, Yoav Nir wrote:
Alice's keys are ignored once Mallory's PAD entry for 192.0.2.5
supercedes or displaces Alices.
Ah, I see the source of my confusion.
I never think of a PAD as a table indexed by IP address. The key for
the PAD is a peer, so
On Thu, Jul 02, 2015 at 10:09:46PM +0300, Yoav Nir wrote:
At the end of the day though, IPSEC needs to apply policy to
application traffic presented to the kernel (almost universally)
via the socket API. The socket API gives the kernel a transport
endpoint UDP/192.0.2.5/53, how is the
On Jul 3, 2015, at 12:28 AM, Viktor Dukhovni ietf-d...@dukhovni.org wrote:
On Thu, Jul 02, 2015 at 11:29:45PM +0300, Yoav Nir wrote:
The hard part is the transport-mode use-case.
If the SPD entries are specific and pre-configured, the same reasoning as
for VPNs applies. Things change
15 matches
Mail list logo