Re: [dane] On the PKIX-TA / PKIX-CA question… [ One week WGLC ]

Wes Hardaker <wjhns1@hardakers.net> Wed, 11 December 2013 17:50 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B71E1AE103 for <dane@ietfa.amsl.com>; Wed, 11 Dec 2013 09:50:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.301
X-Spam-Level:
X-Spam-Status: No, score=-2.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qn_VT17jNB6h for <dane@ietfa.amsl.com>; Wed, 11 Dec 2013 09:50:38 -0800 (PST)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.236.43]) by ietfa.amsl.com (Postfix) with ESMTP id 99FDA1ADFAB for <dane@ietf.org>; Wed, 11 Dec 2013 09:50:38 -0800 (PST)
Received: from localhost (unknown [IPv6:2001:470:1f00:187:75b2:586f:4b28:6a62]) by mail.hardakers.net (Postfix) with ESMTPSA id D0A2229107; Wed, 11 Dec 2013 09:50:32 -0800 (PST)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Warren Kumari <warren@kumari.net>
References: <A06891E1-01E0-40CC-A9A2-171CAA39AB79@kumari.net>
Date: Wed, 11 Dec 2013 09:50:31 -0800
In-Reply-To: <A06891E1-01E0-40CC-A9A2-171CAA39AB79@kumari.net> (Warren Kumari's message of "Mon, 2 Dec 2013 13:44:49 -0500")
Message-ID: <0l1u1jp994.fsf@wjh.hardakers.net>
User-Agent: Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Cc: "dane@ietf.org" <dane@ietf.org>
Subject: Re: [dane] =?utf-8?q?On_the_PKIX-TA_/_PKIX-CA_question=E2=80=A6_=5B_O?= =?utf-8?q?ne_week_WGLC_=5D?=
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2013 17:50:43 -0000

Warren Kumari <warren@kumari.net> writes:

> PKIX-TA
> PKIX-CA
> DANE-<something>

That's exactly the order I'd prefer.  Types 0/1 require PKIX, so the
prefix makes sense and I like the alignment that allows:

  |---------+---------|
  | PKIX-TA | PKIX-EE |
  |---------+---------|
  | DANE-TA | DANE-EE |
  |---------+---------|

(even though a future type 5 may not align well, those four still can
and probably should)

That being said, I'm fine with PKIX-CA as well.  I disagree(ish) that
a type 0 reference is not a trust-anchor and thus shouldn't be called
that.  And the reason I disagree is that though in-itself it isn't one
because the true trust anchor must also be pre-programmed, it still is
very much restricting use to a single TA and pointed to as a reference.
Thus it truly is being used as a form of trust, because both the
internally recorded TA and the DANE TLSA record must match or all bets
are off.  Thus they're both equally as important when DANE is in play.

-- 
Wes Hardaker
Parsons