IETF Logo Mail Archive

Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]

Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 02 December 2013 20:32 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CBAB1ADEC8 for <dane@ietfa.amsl.com>; Mon, 2 Dec 2013 12:32:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w7iF34qUs-lk for <dane@ietfa.amsl.com>; Mon, 2 Dec 2013 12:32:46 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id AA2A91ACC81 for <dane@ietf.org>; Mon, 2 Dec 2013 12:32:44 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id B3EAE2AB172; Mon, 2 Dec 2013 20:32:41 +0000 (UTC)
Date: Mon, 02 Dec 2013 20:32:41 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131202203241.GM761@mournblade.imrryr.org>
References: <A06891E1-01E0-40CC-A9A2-171CAA39AB79@kumari.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <A06891E1-01E0-40CC-A9A2-171CAA39AB79@kumari.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2013 20:32:48 -0000

On Mon, Dec 02, 2013 at 01:44:49PM -0500, Warren Kumari wrote:

> So, lets try and get this "what to call it" question nailed down
> once and for all.
> 
> Please express a preference for:
> 
> PKIX-TA
> PKIX-CA
> DANE-<something>
> 
> I don't think that anyone really *loves* any of the above, so an
> even better outcome is that someone proposes a better acronym that
> everyone likes...

We should attempt to capture something of the flavour of (be at
least as clear as) the short names in RFC 6698:

	0 - "CA constraint"
	1 - "service certificate constraint"
	2 - "trust anchor assertion"
	3 - "domain-issued certificate"

Of these 0 and 2 are reasonably clear, while 1 and especially 3
are a bit oblique.  Thus the shorter acronyms I would propose are:

	0	CA-CHECK
	1	EE-CHECK
	2	DANE-TA
	3	DANE-EE

The word "check" is one of the shorter synonyms for "constraint"
when used to mean "restriction".  If brevity is not a major priority,
we could use "CONSTRAINT" rather than "CHECK".

The above has the advantage of not using "PKIX" as a contrast to
DANE in 0/1, which was problematic, because 2 is also PKIX, just
with a dynamically established X.509 trust anchor.  The only non
PKIX usage was 3.

A similar alternative is:

	0	LIMIT-CA
	1	LIMIT-EE
	2	DANE-TA
	3	DANE-EE

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email