Re: [dane] On the PKIX-TA / PKIX-CA question… [ One week WGLC ]
Wes Hardaker <wjhns1@hardakers.net> Wed, 11 December 2013 17:50 UTC
Return-Path: <wjhns1@hardakers.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B71E1AE103 for <dane@ietfa.amsl.com>; Wed, 11 Dec 2013 09:50:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.301
X-Spam-Level:
X-Spam-Status: No, score=-2.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qn_VT17jNB6h for <dane@ietfa.amsl.com>; Wed, 11 Dec 2013 09:50:38 -0800 (PST)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.236.43]) by ietfa.amsl.com (Postfix) with ESMTP id 99FDA1ADFAB for <dane@ietf.org>; Wed, 11 Dec 2013 09:50:38 -0800 (PST)
Received: from localhost (unknown [IPv6:2001:470:1f00:187:75b2:586f:4b28:6a62]) by mail.hardakers.net (Postfix) with ESMTPSA id D0A2229107; Wed, 11 Dec 2013 09:50:32 -0800 (PST)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Warren Kumari <warren@kumari.net>
References: <A06891E1-01E0-40CC-A9A2-171CAA39AB79@kumari.net>
Date: Wed, 11 Dec 2013 09:50:31 -0800
In-Reply-To: <A06891E1-01E0-40CC-A9A2-171CAA39AB79@kumari.net> (Warren Kumari's message of "Mon, 2 Dec 2013 13:44:49 -0500")
Message-ID: <0l1u1jp994.fsf@wjh.hardakers.net>
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Cc: "dane@ietf.org" <dane@ietf.org>
Subject: Re: [dane] On the PKIX-TA / PKIX-CA question… [ One week WGLC ]
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2013 17:50:43 -0000
Warren Kumari <warren@kumari.net> writes: > PKIX-TA > PKIX-CA > DANE-<something> That's exactly the order I'd prefer. Types 0/1 require PKIX, so the prefix makes sense and I like the alignment that allows: |---------+---------| | PKIX-TA | PKIX-EE | |---------+---------| | DANE-TA | DANE-EE | |---------+---------| (even though a future type 5 may not align well, those four still can and probably should) That being said, I'm fine with PKIX-CA as well. I disagree(ish) that a type 0 reference is not a trust-anchor and thus shouldn't be called that. And the reason I disagree is that though in-itself it isn't one because the true trust anchor must also be pre-programmed, it still is very much restricting use to a single TA and pointed to as a reference. Thus it truly is being used as a form of trust, because both the internally recorded TA and the DANE TLSA record must match or all bets are off. Thus they're both equally as important when DANE is in play. -- Wes Hardaker Parsons
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… Bry8 Star
- [dane] On the PKIX-TA / PKIX-CA question… [ One w… Warren Kumari
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… James Cloos
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Dickson, Brian
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… John Gilmore
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Warren Kumari
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… John Gilmore
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Mark Andrews
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Jakob Schlyter
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… James Cloos
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Jakob Schlyter
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Stephen Kent
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Stephen Kent
- Re: [dane] DANE, constrains and CT and similar.... Warren Kumari
- [dane] OpenSSL DANE support... Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… Wes Hardaker
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Wes Hardaker