IETF Logo Mail Archive

Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]

Viktor Dukhovni <viktor1dane@dukhovni.org> Sun, 08 December 2013 23:53 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBA161AE17D for <dane@ietfa.amsl.com>; Sun, 8 Dec 2013 15:53:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LqNOx3WdJMEJ for <dane@ietfa.amsl.com>; Sun, 8 Dec 2013 15:53:22 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 32C6A1AE11A for <dane@ietf.org>; Sun, 8 Dec 2013 15:53:21 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 0C63A2AABD1; Sun, 8 Dec 2013 23:53:16 +0000 (UTC)
Date: Sun, 08 Dec 2013 23:53:15 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131208235315.GU761@mournblade.imrryr.org>
References: <A06891E1-01E0-40CC-A9A2-171CAA39AB79@kumari.net> <20131205175314.GH761@mournblade.imrryr.org> <E78C07CA-B742-43B2-8848-33DEB22A8014@kumari.net> <201312080234.rB82YeoW029387@new.toad.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201312080234.rB82YeoW029387@new.toad.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Dec 2013 23:53:23 -0000

On Sat, Dec 07, 2013 at 06:34:40PM -0800, John Gilmore wrote:

> > Any (strong) objections?
> 
> Yes, I object.  If there is no consensus on acronyms, we should stick
> with what is in the current RFC 6698, rather than forwarding an
> acronym proposal for adoption as a standard, even though we can't
> agree on what it should say.  It's unnecessary, which probably
> explains the paucity of responses, and divisive among those who did
> respond.  It should be abandoned.

Perhaps the author is willing to take a look at the history of the
thread, and propose one final set of names for the 4 usages that
makes most sense to him.  We can then object or concur with those
without (yet again) proposing changes.

I am not fundamentally opposed to human-readable TLSA RRs:

    ; _25._tcp.mx.example.com. IN TLSA 3 1 2
    _25._tcp.mx.example.com. IN TLSA TRUSTED-LEAF PUBLIC-KEY SHA2-512 {blob}[

    ; _25._tcp.mx.example.com. IN TLSA 2 0 2
    _25._tcp.mx.example.com. IN TLSA TRUSTED-CA CERTIFICATE SHA2-512 {blob}

    ; _25._tcp.mx.example.com. IN TLSA 1 0 1
    _25._tcp.mx.example.com. IN TLSA VALID-LEAF PUBLIC-KEY SHA2-256 {blob}

    ; _25._tcp.mx.example.com. IN TLSA 0 1 0
    _25._tcp.mx.example.com. IN TLSA VALID-CA PUBLIC-KEY VALUE {blob}

As much possible, the acronyms should avoid jargon unfamiliar to
their intended audience and in a full TLSA record should ideally
read like a complete sentence, as above.

The dichotomy between "TRUSTED" (sufficient on its own) and "VALID"
(not sufficient without external trust) is I think one reasonable
way to communicate the usage values.

Anyway, I think it is up to the author to propose a final revision,
or as John suggests, give up.

-- 
	Viktor.

v2.30.2 | Report a Bug | By Email | System Status