►
From YouTube: IETF92-DANE-20150324-1730
Description
DANE meeting session at IETF92
2015/03/24 1730
B
B
A
B
A
A
You
know
we'll
make
sure
that
everybody
gets
to
be
heard
so
with
that
done,
let's
try
and
actually
get
this
meeting
started.
This
is
dane
we're
going
to
be
talking
about
Dane
stuff.
If
you
don't
want
to
hear
about
pain
stuff,
you
probably
don't
want
to
be
here.
This
is
our
agenda.
A
D
A
Probably
there
we
go
if
we
give
you,
the
blue
sheets
will
have
spaced,
but
the
mic
here
somewhere
I
have
lost
their
note
well
slide.
A
There's
a
note
well
slide
over
here
off
the
past.
It
really
quickly.
We
need
to
actually
find
the
note
well
slide.
Is
there
anybody
here
who
has
not
seen
the
note
well
slide
and
does
not
know
what
it
means?
A
D
E
Okay,
let's
just
quickly
I'm
missing
a
draft
that
should
exist
that
I,
don't
know.
If
that's
to
get
agenda
bashing,
we
try
to
implement
Dane
for
IRC
and
we
are
missing
something
to
indicate
that
the
IRC
server
needs
to
support
TLS.
So
I
want
to
give
the
assurance
that
my
super
dusty
lesson
that
I
could
can't
find
anything
in
Dane.
That
allows
me
to
signal
this
so
I
guess
there
should
be
a
draft
or
something
or
this
or
I'm
too
stupid,
to
find
it
an.
F
D
A
D
C
Ok,
the
chairs
minus
then
just
under
the
wire
to
advance
to
documents
to
the
ASG.
We
have
one
group
work
document
in
the
working
group.
Last
call.
We
have
cute
one
more
document
for
working
from
last
call
as
soon
as
this
openpgp
working
for
Islam
is
over,
so
that
would
be
happening,
and
then
we
have
two
documents
that
we
would
like
to
just
get
rid
of
soon
next
slide
or
milestones.
Well,
we
are
falling
behind
schedule.
C
F
What
topic
apologist
I'm
as
I've
said
before
I?
Guess
you
forgot,
there
will
be
a
document
for
Dana
and
ipsec
and
we
are
working
on
implementing
an
implementing
something,
but
we
figured
it's
too
soon
to
write
at
the
doctor
yet
so
there
are
still
some
issues
that
are
pretty
quarter
document
they
want
to
think
about
before
we
submit
a
draft
but
like
consider
a
minus
one,
perhaps
submitted
timeline.
F
G
D
A
D
A
A
F
D
A
A
G
Okay,
cool
everyone,
so
I'm
Eric
I
was
just
as
much
and
so
there's
so
so
this
can
be
really
quick.
I
got
10
minutes
lot,
there's
not
a
lot
to
say
so.
We've
been
playing
around
with
the
the
SYM
thing
ever
since
the
discussion
started
how
to
implement
it,
how
to
give
it
out
to
people
how
to
use
it
and
in
doing
the
implementation
and
actually
doing
some
really
early
pilots
with
it.
It
sounds
something
interesting,
interesting
avenues
to
take.
G
Mostly
there
are
things
that
we
talked
about
on
the
list
and
the
the
text.
We
suggested
everything
we
have
to
kind
of
ate
our
dog
fit
a
little
bit
and,
let's
see
so
one
of
the
things
that
came
up
was
we.
We
talked
about
the
underscore
anchor
underscore
sign.
We
found
that
that
was
very
easy
to
sort
of.
G
G
We
also,
there
was
also
discussion
of
adding
a
field
called
the
axis
field
and
I
think,
probably
in
the
next
presentation,
you'll
hear
a
little
bit
about
why
that
we
found
it
was
a
good
idea
in
other
places
as
well,
but
certainly
when
doing
work
with
this
one
week
on
it
was
really
really
useful
to
say:
hey,
we
found
you
discovered
something
you
learn
something
from
DNS,
but
really
you
need
to
go
somewhere
else.
G
You
need
to
go,
get
it
from
an
ldap
forest
or
something
like
that,
an
ad
for
us
or
no
infrastructure
and
so
having
a
uri.
We
sort
of
bored
the
access,
build
and
said
having
a
uri.
There
can
be
really
useful,
especially
if
the
dane
record
gives
you
crypto,
so
that
only
other
into
that.
You
riu
can
then
secure
that
transaction
with
what
you
learned
earlier,
and
so
we
we
actually
released
an
open
source
library
to
do
day
in
s
fine.
With
all
these
features,
it's
called
lip
smaug,
it's
up
on
github.
G
Now
we
also,
we
also
released
a
Thunderbird
plugin,
which
we
very
shamelessly
board
from
enigma,
which
I
think
we've
mentioned.
We
were
thinking
of
doing
the
last
time
the
working
group
met,
and
you
know
we're
really
interested
in
people
downloading
it
using
it.
The
there's
a
serve
a
walkthrough
on
how
you'd
install
it.
It
has
a
generator
so
that
you
can
give
it
a
cert
and
it'll
generate
the
SYM
a
records,
and
so
you
can
copy
and
paste
them
into
a
zone.
It
even
has
a
helpful
script.
G
If
you
want
to
generate
your
own
s/mime,
certs
and
you're,
not
sure
exactly
how
to
do
it,
you
just
run
it.
Hopefully
the
documentation
is
simple,
but
complete
enough
to
do
so.
Wow
that
came
out
really
well.
Ok,
well,
here's
some
more
screenshots
that
you
know
what
don't
take
my
word
for
it
be
really
cool.
G
If
you,
if
you
felt
like
downloading
and
trying
it,
we
also
have
some
interesting
work
that
I
guess
Glenn
will
run
through
in
a
minute,
but
we're
going
to
be
around
all
week
and
if
you're
interested
in
doing
this,
please
download
it
or
seek
us
out
or
both,
and
you
know,
I
think
it's
really
cool
I'd
love
to
demo
it
for
you
right
now.
I
can
send
email
security,
crit,
sign
everything
all
by
learning,
keys
from
from
s1
may
God
food
delicious.
J
So
the
whatever
you
mentioned,
we
want
everybody
to
experience
the
creamy
goodness
you
can
move
so
we
have.
This
is
it's
a
white
listed
service
that
we
put
outfits
free,
give
folks
away
that
kind
of
experiment
with
gang
records.
So
if
you
there
right
now,
there's
a
proof
of
concept
for
an
S
wine
type
and
an
experimental
type
to
support
some
of
the
other
stuff
we're
doing.
J
But
the
idea
was
to
give
folks
way
to
create
a
delegation
so
that
they
could
host
some
of
these
more
bizarre
records
off
on
a
name
server
that
behave
itself
ostensibly,
and
we
also
ran
into
dealing
with
some
of
the
authorizations
for
changes
to
zones.
It
creates
a
little
bit
of
a
problem
you're
talking
about
folks,
personal
crypto,
material,
key
material
for
a
user
within
a
zone.
Does
you
really
want
the
zone
administrator,
changing
the
keys
that
you're
using
for
signing
the
pic
to
your
email,
for
example?
J
J
Okay,
so
this
this
next
one
I
recognize
some
of
the
discussion
on
the
mailing
list
highlighted
that
there's
a
bit
of
a
mismatch
between
what
we're
doing
here,
payment
associations
and
the
way
the
group
is
chartered
and
I
think
that's
worth
talking
about.
But
what
I
wanted
to
highlight
is
there
are
some
changes
happening
in
the
industry?
J
I've
been
part
of
conversations
in
the
w3c,
the
web
payments
group
in
the
credentials
group
and
in
the
wrestling
with
some
of
the
problems
and
problems
that,
I
think
dane
really
is
an
excellent
tool
for
solving,
but
it's
not
email.
So
when
you
look
at
the
charter
that
we
have
for
this
working
group,
this
clearly
is
a
little
bit
outside
with
that
scope.
Having
said
that,
I
think
it
could
bring
some
good
conversation
for
us.
J
So
what
we
did
is
we
created
a
new
record
type
that
tries
to
resolve
this
and
we
put
some
code
behind
it.
We
worked
with
some
folks
at
armory.
If,
if
anybody
hears
use
Bitcoin
those
guys
have
a
really
nice
secure
wallet
for
handling
Bitcoin,
they
implemented
some
code
in
their
wallet
to
actually
do
the
Dame.
Look
up
BSA
an
email
address.
It
could
render
a
Bitcoin
address.
J
So
if
I
want
somebody
to
be
able
to
pay
me
coin,
I
can
give
them
my
email
address
and
we
can
ultimately
get
me
the
Bitcoin
without
me,
giving
them
a
34
character,
address
or
Alan
Reiner.
It's
really
interesting
work
to
blow
this
out
into
a
far
more
complex
mechanism.
It
seems
like
cryptocurrencies
go
that
way,
but
but
to
really
do
some
interesting
things
with
multi,
cig
and
other
signing
and
and
they've
got
the
stuff
up
in
their
tree
on
a
non
main
trunk
branch
of
the
armory
wallet.
J
But
the
question
this
begs
is
obviously
doesn't
really
fit
with
the
Charter,
but
but
what
do
we
do?
It
seems
to
me
that
there's
more
stuff
coming
that
Dane
is
really
a
nice
solution,
coupled
with
being
a
sack.
You
end
up
with
this
really
neat
chain
of
trust.
It
can
deliver
all
kinds
of
of
reliable
information
of
folks.
J
Where
do
we
go
with
these
ideas?
So
so,
if
payment
Association
doesn't
belong
here,
the
question
is,
then:
where
would
it
belong?
Or
does
this
group
recharter
to
take
on
this
kind
of
association?
You
know,
as
you
see
more
folks,
bringing
it
do.
We
want
to
encourage
innovation,
encourage
folks
to
find
other
good
uses
for
Damon
DNS
sakky,
so
so
I'd
like
to
leave
that
as
a
no
question,
hopefully
talk
about.
C
C
A
While
we're
waiting
for
that
to
be
figured
out,
could
I
get
a
hum
on
if
people
are
interested
in
this
work
and
think
it's
useful
if
you
think
it's
going
to
be
two
hands
one,
if
you
think
that
this
is
interesting
and
useful
and
the
second
will
be
if
you
think
this
is
not
interesting
in
useful.
So
if
you
think
this
is
interesting
and
useful
come
now!
A
Okay,
if
you
think
this
is
not
interesting
and
in
no
way
useful,
now
great,
then
for
the
scribe
or
a
minute
person,
there
was
a
lot
of
humming,
for
this
is
interesting,
pretty
much
nothing
for
not
so.
L
A
So
this
is
the.
If
you
think
this
is
entering
in
useful,
you
have.
We
have
to
get
through
some
of
our
existing
work.
Hopefully
that's
a
bit
of
an
incentive
for
people
to
do
that.
If
we
do
actually
have
enough
energy
to
actually
get
anywhere
with
us,
I
don't
know.
A
M
Alright
and
Victor's
now
behind
me
in
the
queue
I'm
just
gonna
say
this
was
like
I
thought.
This
was
a
great
example
of
the
kind
of
new
things
were
were
Dana's
enabling,
and
so
I
was
delighted
to
see
this
coming
in
here
and
I
hope
that
we
can
figure
out
how
to
make
this
work
as
we
move
through
some
of
the
other
documents,
so
nothing
substantive,
other
and
say
I
will
go
and
review
the
document.
I'd
encourage
others
to
I'm
glad
you
brought
it
here
and
my
audios
blasting
in
the
room,
I'm
told.
M
D
A
A
N
D
A
O
I'm
very
cheery,
with
one
day
mobile
hours
and
10
minutes
left
that
counting
or
anything
so
the
problem
presented.
As
I
understand
it,
I
did
a
little
reading
up
on
this
is
we
want
to
be
able
to
get
the
left-hand
side
of
the
address
somehow
into
the
dns
and
the
problem
with
the
left
hand,
side
of
the
address
is,
it
is
case
sensitive.
The
other
problem
with
the
left
hand,
side
of
the
address
is
it
can
be
one
of
these
funky
eai
things,
but
I
don't
think
we've
even
gotten
there.
O
Yet
we
have
good
love
that
thing.
Three,
that's
a
little
funky
about
the
left
hand.
Side
of
the
dress
is
that
it's
documented,
as
64
characters
and
labels
can
only
be
63
I'm,
not
convinced
that
that's
a
real
problem
yet,
but
we'll
maybe
get
back
to
that.
So
the
I'm.
Sorry,
you
it's
not
because
well,
no,
no
I
I
mean
if
we
wanted
to
do
it
directly
as
opposed
to
tensions
it.
O
I
I'm
not
even
sure
where
to
start
the
discussion
precisely
there
are
I
as
I
understand
it.
A
couple
of
suggestions
for
ways
to
go
about
doing
this
and
I
think
we
should
just
do
a
little
queuing
here
and
have
a
chat
about
some
of
the
ideas
and
some
of
you
in
the
room
have
ideas:
John,
Paul
I.
There
are
plenty
of
people.
D
So,
to
summarize,
I
am
proposing
that
the
documents
say
this
hasn't
been
solved
by
the
applications
area
in
two
decades
or
more,
and
we
should
not
be
yes,
it
is
well
no.
It
doesn't
need
to
say
that,
but
essentially
that
we
are
not
the
ones
to
to
start
now.
Here's
a
question
than
actually
Jon
and
I
had
dinner.
Last
night.
He
asked
has
any
other
application.
That's
not
ldap
had
this
issue
for
and
if
so,
can
we
follow
along
with
them?
John
and
I
drew
a
blank,
but
if
somebody
else
who.
P
Yet
John
Levine
I,
I
put
my
foot
in
this
fairly
severely
and
I.
Think
if
we
we
look
back
through
the
book.
If
we
look
back
through
all
of
the
various
male
RFC's
and
stuff,
we've
tried
really
hard
to
avoid
putting
any
semantics
at
all
on
the
local
park.
You
know,
and
we
can
we've
tried
really
and
although
we
know
that
pretty
much
everyone
in
the
world
doesn't
have
to
ask
a
case,
holding
the
Speck
explicitly
doesn't
say.
Does
it
doesn't
allow
you
to
assume
that?
P
And
we
also
know
that
in
the
world
of
the
AI,
nobody
knows
what
case
holding
needs
and
you
know
it's
it.
No,
it's
known
to
be
insoluble,
you
know
well
we're
so
I
entirely
agree
with
Paul
that
that
you
know
in
terms
of
writing
down
with
a
bits.
Do
you
can
say
you
know
take
take,
take
take
the
address
it.
As
you
know
as
given
and
and
you
know
and
encode
it
you
know,
and
if
anything
else
happens
you
lose.
My
concern
is
that
this
sets
a
dreadful
precedent,
because
reality
is
that
people
will
guess.
O
L
P
P
P
You
know
and
you
asking
all
that
for
j
smith
and
okay,
okay,
you
know
and
then
then,
tomorrow
his
boss,
whose
name
is
John
Smith,
gets
an
address
and
now
Jason
is
ambiguous.
So
ldap
will
say
sorry
try
again.
So
you
know
this
is
it's
really
bad
problem
and
I,
just
I
and
I
would
be
really
uncomfortable,
even
though
technically
Paul
suggestion
would
work.
It's
that
it's
sort
of
it's
it's
pretty
much
for
telling
people
to
use
heuristics
that
I.
Don't
think
you
want
them
to
use
so.
P
If
it
were
up
to
me,
I
would
say
you
know,
maybe
hashing
isn't
the
right
way
to
do
it,
maybe
you
should
put
maybe.
Instead
we
should
use
like
an
app
to
record
or
something
that
points
to
an
HTTP
yeah
at
the
points.
You
know
that
points
to
some
sort
of
server
secured
through
name.
They
can
actually
interpret
that
they
can
actually
interpret
the
local
park.
The
way
ml
so
ever
would.
L
P
O
B
D
B
Am
somewhat
an
agreement
that
perhaps
this
working
group
is
not
the
right
place
to
sort
this
out
I'm
also
in
agreement
with
John
I.
Think
that
I,
what
I
was
concluding
right
as
he
was
saying
that
was
that
DNS
trying
to
map
this
into
dns
and
get
this
in
a
single
look
up
via
just
dns
isn't
going
to
work.
You
really
do
have
to
go
to
some
other
Oracle
because,
because
of
the
quirks
of
the
DNS
protocol
and
the
different
kinds
of
quirks
of
email
addresses,
you
can't
use
DNS
as
case
folding.
That's
not
sufficient!
B
O
O
B
L
A
O
C
C
K
L
I
Oh
sorry,
Dave
Crocker,
the
discussion
and
the
proposals
have
really
felt
like
conflating
several
functions
that
are
very
much
best
kept
separate
when
the
DNS
is
referred
to
as
a
database
system.
We
have
a
long
history
of
helping
people
understand
that
there's
no
fuzzy
searching
in
the
DNS
I
don't
understand
why
it
would
be
something
that
we
would
bury
in
a
infrastructure
service
for
email
either.
We
we
have
mail
that
gets
miss
addressed
all
the
time.
I
I
H
H
A
bit
but
a
bit
in
and
if
I
look
at
that,
the
property
is
there
I,
look
at
the
failure
mode
of
this.
The
failure
mode
is
that
you
you
it's
really
the
false
positive
is
the
failure
mode
when
the
false
negative
is
too
bad.
But
you
try
again
you
get
it.
The
false
positive
is
Vida
failure,
mode
right
and
and
that
that
is
a
huge
force
positive
and
that's
to
be
a
mechanism
to
say
hey.
How
do
we
deal
with
that.
A
H
O
So
is
there
a
false,
positive
problem?
That
is
not
something
that
is
a
false
positive
now,
independently
in
the
email
system.
That's.
O
H
Q
Yeah
Chris
Newman
I
also
do
not
want
local
part
resolution
to
be
done
in
this
working
group.
God
I
feel
very
strongly
that
there
is
one
and
only
one
protocol
where
local
part
resolution
should
happen
in
that
is
smtp,
and
I
am,
I
think
it
may
very
well
be
not
just
for
this
application
but
for
other
applications
important
to
solve
the
local
part
lookup
problem,
and
to
do
it
soon.
So
I
would
be
supportive
of
activity
to
do
it,
but
the
process
needs
to
be
go
through
it.
A
So
I'm
probably
a
little
confused
how
this
would
work
so
like
my
mua
would
go
off
and
go
and
talk
to
some
smtp
server
where
I'm
trying
to
send
them.
I
oh
and
say
please
expand
this
and
then
it
would
come
back
and
then
it
would
fix
that
in
what
I
typed
and
that
it
would
send
it
to
the
smtp
server
that
I'm
actually
using
for
my
mail
check
I
would
need
my
mea
would
need
to
connect
to
put
25
or
whatever
on
someone
else's
mail
server
and
say.
Please
convert
this
for
me.
Yeah.
Q
But
the
the
the
key
thing
is:
the
local
part
resolution
problem
is
more
hot
as
much
harder
to
solve
than
you
think.
For
example,
mailing
lists
most
mailing
list.
Software
does
its
resolution
in
flat
files.
There's
no
directory
look
up.
So
if
you're
not
talking
to
the
MTA,
you
can't
resolve
those
local
parts.
That's
just
an
example.
You
can
create
lists
and
lists
of
things
like
this,
so
the
MTA
has
this
knowledge.
Nothing
else
does
there's
no
director,
you
can
look
up,
there's
no
other
place.
You
can
look
this
data,
not.
O
To
short-circuit
a
lovely
conversation,
but
stay
here,
Chris
because
I,
if
you
do
have
to
go
to
the
destination
smtp,
to
do
the
Oracle
in
bit,
is
there
now
any
use
in
putting
this
stuff
in
Dane?
O
A
O
A
A
D
Left
Henry
Sullivan.
What
I
heard
John
Levine
suggest
is
that
we
use
something
like
napped
ER
to
solve
this
problem,
and
I
just
want
to
point
out
that
that
was
such
a
fabulously,
successful
approach
for
DNS
names,
then
now
we're
going
to
export
it
for
a
thing
that
isn't
quite
shaped
like
DNS
names,
I,
think
that
that
anything
like
that
won't
work
and
therefore
we
probably
ought
to
follow
Paul's
suggestion.
P
What
I
said
was
stupid,
but
not
quite
that
student
might
know
that
yeah
the
suggestion.
For
that
mean
it
could
just
be
a
plate,
meet
you
can
use.
You
can
use
nap
tur
to
map
all
map
everything
into
the
same
URI,
which
is
just
all
stop.
Okay,
anyway,
so
yeah,
yeah,
I'm,
sorry,
yeah,
I,
agree,
I,
agree
with
Chris
Lucas.
F
The
second
is
I
cannot
detect
if
I'm
under
attack,
if
I
cannot
reach
the
Oracle.
The
good
thing
about
DNS
I,
guess
that
we
made
sure
that
if
his
own
is
signed,
I
will
be
able
to
find
the
answer
that
a
record
exists
or
not
with
cryptographic
proof
as
soon
as
I
make
any
kind
of
external
connection
to
any
other
port.
Using
any
other
protocol.
I
lose
this
property.
O
And
that's
why
I
asked
the
question:
if
an
oracle
is
required
and
and
a
lot
of
smtp
people
are
nodding
like
it
might
not
be
possible
to
put
this
into
the
dns
without
consulting
with
the
delivery
smtp,
is
it
worth
doing
in
Dane?
That's
why
I
asked
the
question:
if,
because
that's
exactly
what
Dane
would
get
you,
but
if
you
can't,
if
you
need
to
do
the
Oracle
look
up,
then
is
it
worth
doing
pretty.
A
A
F
That
my
next
step
was
so
so.
My
second
comment
is
that
I'm?
Yes,
so
we
we
can
then
say
limited
to
just
what
the
user
typed
in
and
do
that,
but
we're
all
gonna
know
that
everybody's
gonna
ignore
that,
because
you
know,
if
I
use
my
iphone
right
now
and
I
tried
send
anyone
to
do
in
the
room
here
and
email.
It
will
capitalize
the
first
letter
and
we'll
be
screwed,
so
so
people
sure
they
will
add
see
names
for
a
further.
F
Only
the
first
capitalization
and
people
might
add
other
see
names
to
map
up
multiple
rules,
which
is
fine.
I
do
think
people
will
start
mapping,
rules
that
are
more
complicated
and
we
might
not
be
able
to
to
prevent
them
from
doing
it,
and
we
can
just
make
sure
that
they're
violating
RFC,
I'm
not
sure
if
there's
much
value
in
that,
but
to
come
back
to
the
paragraph
of
text
in
the
are
in
the
draft.
F
There
were
suggestions
of
not
mentioning
any
rules
and
pretending.
This
problem
doesn't
exist,
mentioning
the
rules
we
know
about
and
tell
them
to
be
very,
very
careful
or
propose
a
list
of
known
mapping.
Services,
not,
I
think
I
would
like
to
if
we
choose
between
any
of
these
texts,
solutions
we
can
at
least
move
forward
if
we're
going
to
off.
The
way
of
you
know
extending
smtp
ordering
Oracle's
we're
ten
years
further
and
frankly,
I'm
you're
telling
the
authors
to
go
to
txt
records.
O
And
because
I
see
other
people
in
the
queue
who
might
have
answers
to
this
question,
but
is
so
we've
mentioned
an
Oracle
going
to
the
smtp
server
and
asking
it
a
question
live.
Is
it
also
plausible
or
operationally
plausible
for
the
smtp
server
to
be
the
thing
that
stands
up
the
dns
records
in
question
here
and
maybe
that's
a
non-starter
because
we
know
that
separation
of
powers
that
tends
to
go
on,
but
that
might
also
be
the
only
way
to
approach
the
problem
and
I'm
happy
to
hear.
O
L
L
O
G
Swell
in
verisign
so
you'll
we,
we
actually
wrote
some
of
the
software
only
played
around
a
little
bit
and
that
doesn't
make
me
any
better
than
anybody
else.
But
what
I
want
to
point
out
is
I.
Think
perfect
is
definitely
the
enemy.
The
good
here
I
think
we
have
something
whereby,
if
you
find
keying
material,
you
can
use
it.
G
If
you
didn't
find
it
because
you
put
a
caps
in
the
wrong
place,
you
can
try
again
or
you
don't
get
the
key
material
you
couldn't
get
any
way,
but
there
are
some
things
that
we
get
for
free
right
away.
If
I
get
an
email,
that's
signed,
I
got
the
address
in
there.
I
can
use
that
address
to
verify
the
signature.
So
we're
talking
about
encryption,
probably
and
that's
fine,
but
I-
think
what
we
can
do
now
is.
We
can
actually
move
forward
without
deciding
we're
gonna
fix
everything.
G
A
hundred
percent
come
up
with
oracle's
and
grammars
and
nothing
else.
We
just
try
it
and
we
can
get
something
going.
That's
really
really
useful.
There's
a
lot
of
crypto
that
we
started
playing
with
that.
Suddenly
we
realized
like
getting
cert
synced
across
devices,
is
a
really
big
deal,
we've
all
known
about
for
a
long
time,
but
now
that
we
can
actually
use
the
crypto
we're
running
the
real
problems
that
we
have
to
solve.
That
would
think
through.
So
I
really
worry
about
us
reading
and
trying
to
do
one
hundred
percent
solution
here.
I'll.
G
R
Hi
Jeff
Hodges,
so
the
question
being
begged
here,
I
want
to
uplevel
and
clarify,
is
given
an
arbitrary
email
address
that
maps
to
anywhere
on
the
internet.
Any
domain
right
and
I,
just
somehow
get
it
I
need
to
be
on
the
question
is
I
should
be
able
look
up
the
public
key
that
maps
to
that
right.
Okay,
so
everything
that's
been
said
about
Milan
in
the
queue
here
about
local
parts
and
looking
up
natural
names
or
things
derived
from
natural
names
is
correct.
R
It's
a
total
mess
on
I
deployed
the
directory
service
at
Stanford
back
in
the
late
90s
on,
and
we
mapped
this
to
add.
Stick.
We
we've
created
at
stanford
edu
email
on
using
an
ldap
base
directory
infrastructure.
You
got
to
do
schema
blah
blah,
it's
all
very
site-specific
how
it
all
works
under
the
hood.
I
have
a
presentation
about
it.
That's
still
out
on
the
web.
I
can
send
a
pointer
to
that
on.
R
B
Keith
more
when
I
think
about
trying
to
map
large
numbers
of
email
addresses
into
the
DNS
zone.
The
thing
that
I'm
reminded
immediately
is
that
how
often
DNS
is
out
of
sync
with
reality,
it's
a
huge
problem,
because
the
people
who
run
DNS
servers
tend
to
be
different
than
the
people
running
mail
servers
and
so
on
and
so
forth.
I.
B
Is
absolutely
the
wrong
place
to
put
this
information
in
any
form
and
if
there's
any
right
place
to
put
it,
it's
probably
in
the
primary
MX
servers
or
using
them
as
proxies,
and
you
can
dismiss
multiple
ways.
You
can
slice
and
dice
it,
but
I'm
pretty
sure
it
doesn't
belong
in
DNS
I'm.
Also
pretty
sure
the
work
doesn't
belong
in
this
working
group.
R
M
O
Yeah
I
mean
there's
dots
in
them.
There's
case,
there's
internationalized
characters
that
need
to
be
dealt
with.
It's
the
left
hand.
Side
is
a
big
old
mess,
so.
M
R
H
That
points
to
not
me,
but
someone
else,
and
so
you
have
here
and
and
the
root
cause,
is
that
there
is
a
conflict.
There
is
a
misaligned
interests
there.
The
person
was
interested
in
publishing
my
right
public
key
is
me
the
person
the
server
doing
that
as
a
ton
of
other
interests,
and
we
may
well
have
a
divergence
e
de.
K
Comment
specifically,
is
ryan
dixon
comment
about
the
questionable
ports
of
anything
other
than
port
53
and
protected
with
stain.
I
think
without
going
into
that
rathole.
I
think
this
would
be
a
great
case
for
a
sibling
document
about
doing
the
Oracle
using
Dane
as
a
protection
mechanism
and
proof
mechanism
for
actual
looking
up
of
left-hand
side
names.
N
Daniel
con
Gilmore
brief
points,
I'm,
not
convinced
that
this
is
useful
for
the
the
discovery
that
the
mess
that
the
key
doesn't
exist,
which
is
a
point
that
Paul
raised
simply
because
currently
there
is
no
I
mean
any
signs
own.
There
are
no
pgp
key
records
or
no
s
prime
records.
So
when
I
look
it
up,
it
doesn't
mean
that
that
user
account
has
no
key.
It
simply
means
it's
not
published
in
the
DNS,
so
I'm,
not
sure
that
that
that
is
a
goal
of
this
particular
work
right
now.
N
We
have
no
way
of
signaling
that
this
that
a
key
doesn't
exist
for
that
user.
Secondly,
I
wanted
to
point
out
that
this
problem
already
exists
for
people
who
are
doing
key
look
up.
People
have
certificate
stores
or
key
stores
or
whatever,
and
they
look
them
up.
However,
they
look
them
up
locally
and
it's
an
existing
problem.
We
shouldn't
solve
the
problem.
I
think
the
hashing
is
necessary.
N
I
think
the
idea
that
we're
going
to
say
how
to
do
the
case
holding
a
silly
but
but
we're
leaving
people's
definitely
no
worse
off
than
they
were
before.
If
we
say
go
ahead
and
and
just
look
up,
the
string
that
you
got
my
third
point
and
then
I'll
be
done,
is
just
to
remember
that
the
DNS
until
deprived
complete
successfully
DNS,
has
privacy
leakage
implications.
When
you're
doing
your
lookups
and
I.
A
Guess
if
we
were
to
go
choose
a
solution
like
look
it
up
as
it
is,
we
can
if
there
is
something
you
in
the
future,
come
back
and
revisit
it.
You
know
they
could
be
best
documents,
etc.
Yeah
Alex.
E
I
Vanessa
from
UCLA
I
will
make
a
point
against
the
Oracle,
especially
smtp
Oracle,
as
I'm
aware
of
the
complex
smtp
diploma
scenarios,
where
neither
or
servers
pointed
by
MX
records,
either
not
directly
accessible,
will
have
no
idea.
What
exactly
is
happening
with
the
with
the
records
and
the
second
point
about
the
Oracle
in
general.
Is
it
opening
door
for
spammers
to
discover
a
look
exact
name?
E
E
Thousand
putter,
just
as
a
response
to
the
comment
about
someone
getting
a
letter
telling
them
to
put
in
a
different
key
something
that
in
s
sec,
provides
us
with,
is
transparency
for
that
case,
because
you
can
go
and
query
your
own
record,
meaning
if
you
do
it
right.
If
you
analyze
your
own
query
for
your
own
record,
you
will
notice
that
someone
did
get
that
letter
and
that
is
an
important
feature.
I
think
my.
G
Erik
oster
welcome,
so
I
definitely
want
to
stand
on
what
I
said
before
about
the
simple
thing
and
the
enemy,
the
good.
What
not,
but
just
one
sort
of
point
when
we
were
playing
with
the
S
my
stuff
and
we
put
the
URI
pointer
in
there.
That
was
mainly
so
that
we
could
reach
our
corporate
infrastructure.
We
could
deploy,
for
example,
a
wild
card,
the
mill
domain
and
allow
that
wild
card
to
reference,
something
where
you
could
go
King
material.
G
You
could
do
that
with
an
Oracle
or
something
else
as
well,
where,
by
your
new
top
level,
says
for
users.
Underneath
me
go
over
here
and
I'll
secure
the
transaction
by
having
the
crypto
in
there
whatever
and
then
you
go
and
that
problems
taking
care
of
it
can
be
like
you
said,
the
MTA
or
you
know,
lions
tigers
bears,
and
that
was
one
of
things
that
I
think.
If
we
just
make
these
things
flexible,
like
we
were
proposing
with
the
SYM
a
record,
we
might
be
able
to
experiment
figure
it
out.
O
Just
by
wrap
up
I
do
want
to
make
sure
that,
as
this
conversation
progresses,
people
think
in
terms
of
not
Keith
made
a
comment
about
the
DNS
can't
do
certain
things.
So
this
is
both
about
establishing
a
new
dns
service
and
a
new,
potentially
smtp
service,
and
so,
let's
be
a
little
bit
broader
about.
If
you
do
this,
maybe
we
could
pull
off
that
ideas.
I
think
that's
reasonable
point
of
discussion,
but
this
was
useful
and
more
questions
than
answers,
but
that's
okay.
C
So,
thank
you
all.
Thank
you
very
deep,
so
I'm
going
to
ask
a
question
of
this
group.
After
talking
to
Barry,
if
we
consider
the
current
PGP
openpgp
document
as
an
experiment
in
opportunistic
pgp
key
retrieval,
you
think
that
this
worthwhile
experimental
contact
and
I
would
like
a
home
on
that
or
harm
on
against
it.
I
don't.
C
I
mean
it's
the
current
mechanism
of
just
doing
a
straight
look
up,
or
whatever
you
have
our
three
hasit
to
look
for
a
pgp
key
is
a
war
file.
Experiment
to
contact
on
the
internet
is
that
a
document
we
want
to
publish
like
an
opportunistic
way
of
doing
it
soham.
Yes,
those
opposed
there
were
a
few.
This
was
a
stronger
hum
for
then
against.
So
we
will
ask
this
question
on
the
mailing
list.
I'd.
L
Like
to
add
to
that
question,
do
the
people
who
no
think
it
would
be
a
horrible
thing
to
do
or
just
not
not
a
very
good
thing
you
know
is
it
is
they
think
that
would
really
break
things?
Look
behind
you
I.
B
Think
my
concern
will
be
if
you
publish
this
as
a
document
that
people
will
think
that
there
will
eventually
be
in
a
standard
along
these
lines
and
I
think
we
already
know
that
it's
inadequate.
So
if
you
want
to
publish
a
document,
it
may
be,
if
there's
a
big,
huge,
strong
disclaimer
that
says,
don't
expect
things
to
go
this
way,
but
I
don't
know.
I
actually
think
this
is
an
experiment
that
might
do
more
harm
than
good.
If.