DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP
RFC 7929
|
| Document |
Type |
|
RFC - Experimental
(August 2016; Errata)
|
|
Last updated |
|
2016-08-08
|
|
Stream |
|
IETF
|
|
Formats |
|
plain text
pdf
html
bibtex
|
|
Reviews |
|
|
| Stream |
WG state
|
|
Submitted to IESG for Publication
|
|
Document shepherd |
|
Ólafur Guðmundsson
|
|
Shepherd write-up |
|
Show
(last changed 2016-04-21)
|
| IESG |
IESG state |
|
RFC 7929 (Experimental)
|
|
Consensus Boilerplate |
|
Yes
|
|
Telechat date |
|
|
|
Responsible AD |
|
Stephen Farrell
|
|
Send notices to |
|
(None)
|
| IANA |
IANA review state |
|
Version Changed - Review Needed
|
|
IANA action state |
|
RFC-Ed-Ack
|
Internet Engineering Task Force (IETF) P. Wouters
Request for Comments: 7929 Red Hat
Category: Experimental August 2016
ISSN: 2070-1721
DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP
Abstract
OpenPGP is a message format for email (and file) encryption that
lacks a standardized lookup mechanism to securely obtain OpenPGP
public keys. DNS-Based Authentication of Named Entities (DANE) is a
method for publishing public keys in DNS. This document specifies a
DANE method for publishing and locating OpenPGP public keys in DNS
for a specific email address using a new OPENPGPKEY DNS resource
record. Security is provided via Secure DNS, however the OPENPGPKEY
record is not a replacement for verification of authenticity via the
"web of trust" or manual verification. The OPENPGPKEY record can be
used to encrypt an email that would otherwise have to be sent
unencrypted.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for examination, experimental implementation, and
evaluation.
This document defines an Experimental Protocol for the Internet
community. This document is a product of the Internet Engineering
Task Force (IETF). It represents the consensus of the IETF
community. It has received public review and has been approved for
publication by the Internet Engineering Steering Group (IESG). Not
all documents approved by the IESG are a candidate for any level of
Internet Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7929.
Wouters Experimental [Page 1]
RFC 7929 DANE for OpenPGP Keys August 2016
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Wouters Experimental [Page 2]
RFC 7929 DANE for OpenPGP Keys August 2016
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Experiment Goal . . . . . . . . . . . . . . . . . . . . . 4
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. The OPENPGPKEY Resource Record . . . . . . . . . . . . . . . 5
2.1. The OPENPGPKEY RDATA Component . . . . . . . . . . . . . 6
2.1.1. The OPENPGPKEY RDATA Content . . . . . . . . . . . . 6
2.1.2. Reducing the Transferable Public Key Size . . . . . . 7
2.2. The OPENPGPKEY RDATA Wire Format . . . . . . . . . . . . 7
2.3. The OPENPGPKEY RDATA Presentation Format . . . . . . . . 7
3. Location of the OPENPGPKEY Record . . . . . . . . . . . . . . 8
4. Email Address Variants and Internationalization
Considerations . . . . . . . . . . . . . . . . . . . . . . . 9
5. Application Use of OPENPGPKEY . . . . . . . . . . . . . . . . 10
5.1. Obtaining an OpenPGP Key for a Specific Email Address . . 10
5.2. Confirming that an OpenPGP Key is Current . . . . . . . . 10
5.3. Public Key UIDs and Query Names . . . . . . . . . . . . . 10
6. OpenPGP Key Size and DNS . . . . . . . . . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7.1. MTA Behavior . . . . . . . . . . . . . . . . . . . . . . 12
7.2. MUA Behavior . . . . . . . . . . . . . . . . . . . . . . 13
7.3. Response Size . . . . . . . . . . . . . . . . . . . . . . 14
7.4. Email Address Information Leak . . . . . . . . . . . . . 14
7.5. Storage of OPENPGPKEY Data . . . . . . . . . . . . . . . 14
7.6. Security of OpenPGP versus DNSSEC . . . . . . . . . . . . 15
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
8.1. OPENPGPKEY RRtype . . . . . . . . . . . . . . . . . . . . 15
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
9.1. Normative References . . . . . . . . . . . . . . . . . . 15
9.2. Informative References . . . . . . . . . . . . . . . . . 16
Show full document text