Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym

Paul Hoffman <paul.hoffman@vpnc.org> Mon, 30 September 2013 02:16 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AEA621F9D2C for <dane@ietfa.amsl.com>; Sun, 29 Sep 2013 19:16:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.557
X-Spam-Level:
X-Spam-Status: No, score=-102.557 tagged_above=-999 required=5 tests=[AWL=0.042, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gc4IMYCatGbk for <dane@ietfa.amsl.com>; Sun, 29 Sep 2013 19:16:46 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 9237C21F9D23 for <dane@ietf.org>; Sun, 29 Sep 2013 19:16:46 -0700 (PDT)
Received: from [10.20.30.90] (50-1-98-185.dsl.dynamic.sonic.net [50.1.98.185]) (authenticated bits=0) by hoffman.proper.com (8.14.7/8.14.5) with ESMTP id r8U2GhdO069372 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <dane@ietf.org>; Sun, 29 Sep 2013 19:16:44 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 50-1-98-185.dsl.dynamic.sonic.net [50.1.98.185] claimed to be [10.20.30.90]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <20130920021124.GE29796@mournblade.imrryr.org>
Date: Sun, 29 Sep 2013 19:16:43 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <4D79E741-F559-4D6D-9AB0-E7B35A62C783@vpnc.org>
References: <20130919201216.14866.61161.idtracker@ietfa.amsl.com> <EACEEB05-2023-4F76-A6FE-A9B2FDC0AA59@kumari.net> <m361twqxn9.fsf@carbon.jhcloos.org> <20130919221035.GC29796@mournblade.imrryr.org> <20130920021124.GE29796@mournblade.imrryr.org>
To: dane@ietf.org
X-Mailer: Apple Mail (2.1510)
Subject: Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Sep 2013 02:16:47 -0000

On Sep 19, 2013, at 7:11 PM, Viktor Dukhovni <viktor1dane@dukhovni.org> wrote:

> On Thu, Sep 19, 2013 at 10:10:35PM +0000, Viktor Dukhovni wrote:
> 
>> Agreed on PKIX-TA vs. PKIX-CA.
> 
> On second thought, I am not so sure, the CA constraint with usage
> 0, is NOT a trust-anchor, the trust-anchor is still the PKIX root CA.
> 
> This usage requires the presence of a given CA (root or intermediate)
> in the chain, but does not promote that CA to a trust anchor (as
> with usage 2).  So perhaps the original PKIX-CA is in fact better.

PKIX is not clear if there are PKIX TAs that are not CAs, as we discussed extensively earlier in this WG. We do not need to open those wounds with molten salt. Either term is probably technically accurate, and we won't know for sure.

The rest of this document seems fine, and is a valuable addition to the DANE world.

--Paul Hoffman