Re: [dane] Draft for serializing DNSSEC chains

["Richard L. Barnes" <rbarnes@bbn.com>]

Excellent, this matches what I backed out of your example :)

Couple of quick comments:

- Summary: I think it would be clearer to structure the draft as:
  1. Data structure
  2. How to construct the chain starting from a DNS name
  3. How to verify the chain

- It would be helpful to have a description of the data structure in "at rest" form, as opposed to in "parsing stream" form, in order to separate structure from parsing logic. 

- Because the description of verifier behavior is so focused on parsing, the cryptographic verification steps kind of get lost.  It took me a couple of seconds to find the requirement for matching DS and DNSKEY.

- The document doesn't say anything about how to construct a chain starting from a DNS name.  Given that chain.py is 471 lines, this doesn't seem like a trivial process!

- Considering the differences from normal certs, e.g., in naming practices, it might actually be helpful to have a separate certificate profile for DNSSEC-stapled certificates, and to signal it with something like a CP OID (as for EV).  That wouldn't rule out the use of this extension with other types of certs, but it would provide a simple flag that a stapled cert is different from some other self-signed cert.   

Thanks for writing a spec, I think this could be a useful complement to the DANE RR type.
--Richard



On Jun 28, 2011, at 2:22 PM, Adam Langley wrote:

> As promised. (This is also the format that Chrome is using for it's
> DNSSEC stapled certificate support.)
> 
> http://tools.ietf.org/html/draft-agl-dane-serializechain-00
> 
> 
> Cheers
> 
> AGL
> 
> -- 
> Adam Langley agl@imperialviolet.org http://www.imperialviolet.org
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane