DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP
draft-ietf-dane-openpgpkey-12

NOTE to editors: Thank you for addressing my earlier comments in -09, -10 and -12.

Despite many objections to publishing this specification I believe we should run the experiment. I will vote "Yes" once DISCUSS-points are addressed. I would rather see this experiment being done and fail (or better - succeed), than to block publication of this document because it is not perfect.

Some (edited) comments from Ned Freed that I (mostly) agree with:

1) In Section 3:

When describing unquoting and unescaping, I think it would be useful to give an example, for example all of the following are equivalent and must result in the same hashed value:

(1) first.last@example.com
(2) first . last @example.com
(3) "first.last"@example.com
(4) "\f\i\r\s\t.last"@example.com

2)

5.1.  Obtaining an OpenPGP key for a specific email address

   If no OpenPGP public keys are known for an email address, an
   OPENPGPKEY DNS lookup MAY be performed to seek the OpenPGP public key
   that corresponds to that email address.  This public key can then be
   used to verify a received signed message or can be used to send out
   an encrypted email message.  An application whose attempt fails to
   retrieve a DNSSEC verified OPENPGPKEY RR from the DNS should remember
   that failure for some time to avoid sending out a DNS request for
   each email message the application is sending out; such DNS requests
   constitute a privacy leak

Should the document give a specific recommendation about "remember for some time"? Is it tied to TTL for the corresponding RR?
If you can provide some additional text explaining what is reasonable (or not) here, that would improve the specification.

This sounds like a worth while experiment and with Alexey's discuss & comments addressed, it will be well specified.  I'll be interested to see the results and findings on space considerations for DNSSec.