IETF Logo Mail Archive

Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym

Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 07 October 2013 14:52 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AB5E11E80EC for <dane@ietfa.amsl.com>; Mon, 7 Oct 2013 07:52:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s+qZpP3GkMHy for <dane@ietfa.amsl.com>; Mon, 7 Oct 2013 07:52:40 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [208.77.212.107]) by ietfa.amsl.com (Postfix) with ESMTP id 064AE21F9B21 for <dane@ietf.org>; Mon, 7 Oct 2013 07:52:39 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id EB62C2AAD93; Mon, 7 Oct 2013 14:52:33 +0000 (UTC)
Date: Mon, 07 Oct 2013 14:52:33 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131007145233.GE483@mournblade.imrryr.org>
References: <20130919201216.14866.61161.idtracker@ietfa.amsl.com> <EACEEB05-2023-4F76-A6FE-A9B2FDC0AA59@kumari.net> <024c01cec2dc$72b596e0$5820c4a0$@augustcellars.com> <20131006224742.GA483@mournblade.imrryr.org> <5252BA5A.2040209@bbn.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5252BA5A.2040209@bbn.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2013 14:52:45 -0000

On Mon, Oct 07, 2013 at 09:42:50AM -0400, Stephen Kent wrote:
> Viktor,
> >>To me this loses the fact that there will be PKIX processing that occurs
> >>with this section.  I would strongly recommend that this become PKIX-TA.
> >
> >I think that would confuse almost everyone.  The "PKI" part of PKIX
> >carries inappropriate in this context mental baggage.
>
> So the mental baggage to which you refer is an example of an
> inappropriate-sized carry on (to run that metaphor into the ground).

Yes, but I still think many will find PKIX-TA confusing as a
description of usage 2.  It is easier to roughly divide the usages
into

  - 0/1 (PKIX, that is public CA verified, DNSSEC constrained)

and

  - 2/3 (DANE, that is DNSSEC verified)

though I freely admit that indeed the PKIX specification is
silent on the origin of the TA, and technically quite suitable to
usage 2.  Indeed many of the implementation flaws I pointed out
some months back this spring, (in then extant DANE implementations),
were related to failure to properly verify usage 2 chains (it was
a common error to simply check that the peer's chain contained the
associated TA certificate without checking that the TA actually
authenticates a valid chain leading to the EE certificate).

So perhaps the bottom line is that no matter which acronyms we
adopt, confusion will reign until we have ample implementation
guidance (and even then of course some will remain perpetually
confused).

I originally had implementation notes in the DANE ops draft, but
decided to focus just on operational issues, in the end.  Perhaps
there should be a separate document with guidance and warnings for
implementation developers.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email