Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
"Dickson, Brian" <bdickson@verisign.com> Mon, 02 December 2013 22:47 UTC
Return-Path: <bdickson@verisign.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C8891ADEB5 for <dane@ietfa.amsl.com>; Mon, 2 Dec 2013 14:47:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D9VumvnN5gt7 for <dane@ietfa.amsl.com>; Mon, 2 Dec 2013 14:47:08 -0800 (PST)
Received: from exprod6og119.obsmtp.com (exprod6og119.obsmtp.com [64.18.1.234]) by ietfa.amsl.com (Postfix) with ESMTP id 625411ADBCD for <dane@ietf.org>; Mon, 2 Dec 2013 14:47:08 -0800 (PST)
Received: from osprey.verisign.com ([216.168.239.75]) (using TLSv1) by exprod6ob119.postini.com ([64.18.5.12]) with SMTP ID DSNKUp0N6qo5fiCKKTC9SGokQUsC1joxXaz8@postini.com; Mon, 02 Dec 2013 14:47:06 PST
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01.vcorp.ad.vrsn.com [10.173.152.255]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id rB2Ml5ON013404 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <dane@ietf.org>; Mon, 2 Dec 2013 17:47:05 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.02.0342.003; Mon, 2 Dec 2013 17:47:05 -0500
From: "Dickson, Brian" <bdickson@verisign.com>
To: "dane@ietf.org" <dane@ietf.org>
Thread-Topic: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
Thread-Index: AQHO76wG5822/4zPjUefUdCiEuM5sJpBgbeA
Date: Mon, 02 Dec 2013 22:47:04 +0000
Message-ID: <CEC276E2.F1B6%bdickson@verisign.com>
In-Reply-To: <20131202221525.GO761@mournblade.imrryr.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.5.130515
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <BD7D5BAB09DC0F4D8BF1B977120EC1B8@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2013 22:47:10 -0000
The asymmetry between 0/1 and 2/3 can be confusing - I had to read 6698 several times to sort it out. (I am glad I did, though.) IMHO the acronym should clarify things, or at least suggest which angle to hold 6698 while squinting. How about these: 0 - CERT-CA 1 - CERT-EE 2 - ROOT-TA 3 - JUST-EE 0 can be either a root CA, or intermediate CA. If the latter, this cert itself must PKIX-validate. 2 can be either a root CA, or another trust anchor - but must be the root of the validation chain either way. 1 requires PKIX validation, 3 does not, hence "just" an End Entity. Thus, a ROOT-CA cert, can be used as either type 0 or type 2 - but that is the only likely place where there is likely confusion. (Of course, if your EE is a root CA, it could be type 1 - but then you are clearly insane. :-)) Brian On 12/2/13 5:15 PM, "Viktor Dukhovni" <viktor1dane@dukhovni.org> wrote: >On Mon, Dec 02, 2013 at 04:34:37PM -0500, James Cloos wrote: > >> My pref is that the suffices be the same for each of the prefices, >> therefore PKIX-TA vs DANE-TA vs PKIX-EE vs DANE-EE. > >I'm all for neatly aligned text, and I appreciate the increased >cosmetic appeal, but surely the fact that this masks semantic >differences is more important. > > The CA in usage 0 is not a trust anchor, but it is in usage 2. > > The chain in usage 2 still requires PKIX validation, be it with > a dynamically obtained trust anchor. > >So PKIX-TA and DANE-TA are each misleading, the first is not a TA, >the second is still PKIX. Are the acronyms just supposed to be >more memorable than the numbers, or are they supposed to concisely >convey the associated meaning? > >-- > Viktor. >_______________________________________________ >dane mailing list >dane@ietf.org >https://www.ietf.org/mailman/listinfo/dane
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… Bry8 Star
- [dane] On the PKIX-TA / PKIX-CA question… [ One w… Warren Kumari
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… James Cloos
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Dickson, Brian
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… John Gilmore
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Warren Kumari
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… John Gilmore
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Mark Andrews
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Jakob Schlyter
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… James Cloos
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Jakob Schlyter
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Stephen Kent
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Stephen Kent
- Re: [dane] DANE, constrains and CT and similar.... Warren Kumari
- [dane] OpenSSL DANE support... Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… Wes Hardaker
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Wes Hardaker