IETF Logo Mail Archive

Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym

Viktor Dukhovni <viktor1dane@dukhovni.org> Fri, 20 September 2013 14:27 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D852321F9A49 for <dane@ietfa.amsl.com>; Fri, 20 Sep 2013 07:27:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.392
X-Spam-Level:
X-Spam-Status: No, score=-1.392 tagged_above=-999 required=5 tests=[AWL=-1.207, BAYES_40=-0.185]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dTw0jT8aVjt7 for <dane@ietfa.amsl.com>; Fri, 20 Sep 2013 07:27:13 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [208.77.212.107]) by ietfa.amsl.com (Postfix) with ESMTP id AF66021F9A40 for <dane@ietf.org>; Fri, 20 Sep 2013 07:27:13 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id C02732AB0A4; Fri, 20 Sep 2013 14:27:10 +0000 (UTC)
Date: Fri, 20 Sep 2013 14:27:10 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20130920142710.GG29796@mournblade.imrryr.org>
References: <20130919201216.14866.61161.idtracker@ietfa.amsl.com> <EACEEB05-2023-4F76-A6FE-A9B2FDC0AA59@kumari.net> <m361twqxn9.fsf@carbon.jhcloos.org> <20130919221035.GC29796@mournblade.imrryr.org> <20130920021124.GE29796@mournblade.imrryr.org> <m3d2o3pzum.fsf@carbon.jhcloos.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <m3d2o3pzum.fsf@carbon.jhcloos.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2013 14:27:19 -0000

On Fri, Sep 20, 2013 at 06:10:48AM -0400, James Cloos wrote:

> VD> This usage requires the presence of a given CA (root or intermediate)
> VD> in the chain, but does not promote that CA to a trust anchor (as
> VD> with usage 2).  So perhaps the original PKIX-CA is in fact better.
> 
> On a ship with multiple anchors, each /is/ still an anchor.  Even if
> the crew does not trust one at a time to hold the ship in place.

I look at this as a ship with an anchor, and a "golden link" in
the chain (O.K., gold is not stronger than iron, but we won't take
this metaphor too literally).  Yes, the "golden link" can also be
a "golden anchor" when the TLSA record association data matches a
public root CA.

An interesting anomaly arises at a site that only explicitly trusts
an intermediate CA (via appropriate local software and configuration)
and is validating a chain that starts with an untrusted ancestor
CA that matches the TLSA RR:

	TLSA-CA -> ... -> local PKIX-TA -> ... -> EE certificate

Should DANE admit this chain?  Under the "2 anchors" analogy arguably
it should.  I think it should not.  The CA *constraint* in RFC 6698
was never intended to accept more certificate chains than one would
accept with PKIX alone, it is supposed to only be an additional check.
The PKIX trust anchor is primary and plays an assymetric role.

> The type 0/1 tlsa are anchors, but the admin lacks trust in either
> technology on its own and requires both technologies verify.

I think this is a radical departure from PKIX terminology.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email