Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 02 December 2013 20:32 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CBAB1ADEC8 for <dane@ietfa.amsl.com>; Mon, 2 Dec 2013 12:32:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w7iF34qUs-lk for <dane@ietfa.amsl.com>; Mon, 2 Dec 2013 12:32:46 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id AA2A91ACC81 for <dane@ietf.org>; Mon, 2 Dec 2013 12:32:44 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id B3EAE2AB172; Mon, 2 Dec 2013 20:32:41 +0000 (UTC)
Date: Mon, 02 Dec 2013 20:32:41 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131202203241.GM761@mournblade.imrryr.org>
References: <A06891E1-01E0-40CC-A9A2-171CAA39AB79@kumari.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <A06891E1-01E0-40CC-A9A2-171CAA39AB79@kumari.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2013 20:32:48 -0000
On Mon, Dec 02, 2013 at 01:44:49PM -0500, Warren Kumari wrote: > So, lets try and get this "what to call it" question nailed down > once and for all. > > Please express a preference for: > > PKIX-TA > PKIX-CA > DANE-<something> > > I don't think that anyone really *loves* any of the above, so an > even better outcome is that someone proposes a better acronym that > everyone likes... We should attempt to capture something of the flavour of (be at least as clear as) the short names in RFC 6698: 0 - "CA constraint" 1 - "service certificate constraint" 2 - "trust anchor assertion" 3 - "domain-issued certificate" Of these 0 and 2 are reasonably clear, while 1 and especially 3 are a bit oblique. Thus the shorter acronyms I would propose are: 0 CA-CHECK 1 EE-CHECK 2 DANE-TA 3 DANE-EE The word "check" is one of the shorter synonyms for "constraint" when used to mean "restriction". If brevity is not a major priority, we could use "CONSTRAINT" rather than "CHECK". The above has the advantage of not using "PKIX" as a contrast to DANE in 0/1, which was problematic, because 2 is also PKIX, just with a dynamically established X.509 trust anchor. The only non PKIX usage was 3. A similar alternative is: 0 LIMIT-CA 1 LIMIT-EE 2 DANE-TA 3 DANE-EE -- Viktor.
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… Bry8 Star
- [dane] On the PKIX-TA / PKIX-CA question… [ One w… Warren Kumari
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… James Cloos
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Dickson, Brian
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… John Gilmore
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Warren Kumari
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… John Gilmore
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Mark Andrews
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Jakob Schlyter
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… James Cloos
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Jakob Schlyter
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Stephen Kent
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Stephen Kent
- Re: [dane] DANE, constrains and CT and similar.... Warren Kumari
- [dane] OpenSSL DANE support... Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… Wes Hardaker
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Wes Hardaker