Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]

"Dickson, Brian" <bdickson@verisign.com> Mon, 02 December 2013 22:47 UTC

Return-Path: <bdickson@verisign.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C8891ADEB5 for <dane@ietfa.amsl.com>; Mon, 2 Dec 2013 14:47:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D9VumvnN5gt7 for <dane@ietfa.amsl.com>; Mon, 2 Dec 2013 14:47:08 -0800 (PST)
Received: from exprod6og119.obsmtp.com (exprod6og119.obsmtp.com [64.18.1.234]) by ietfa.amsl.com (Postfix) with ESMTP id 625411ADBCD for <dane@ietf.org>; Mon, 2 Dec 2013 14:47:08 -0800 (PST)
Received: from osprey.verisign.com ([216.168.239.75]) (using TLSv1) by exprod6ob119.postini.com ([64.18.5.12]) with SMTP ID DSNKUp0N6qo5fiCKKTC9SGokQUsC1joxXaz8@postini.com; Mon, 02 Dec 2013 14:47:06 PST
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01.vcorp.ad.vrsn.com [10.173.152.255]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id rB2Ml5ON013404 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <dane@ietf.org>; Mon, 2 Dec 2013 17:47:05 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.02.0342.003; Mon, 2 Dec 2013 17:47:05 -0500
From: "Dickson, Brian" <bdickson@verisign.com>
To: "dane@ietf.org" <dane@ietf.org>
Thread-Topic: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
Thread-Index: AQHO76wG5822/4zPjUefUdCiEuM5sJpBgbeA
Date: Mon, 2 Dec 2013 22:47:04 +0000
Message-ID: <CEC276E2.F1B6%bdickson@verisign.com>
In-Reply-To: <20131202221525.GO761@mournblade.imrryr.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.5.130515
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <BD7D5BAB09DC0F4D8BF1B977120EC1B8@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2013 22:47:10 -0000

The asymmetry between 0/1 and 2/3 can be confusing - I had to read 6698
several times to sort it out.
(I am glad I did, though.)

IMHO the acronym should clarify things, or at least suggest which angle to
hold 6698 while squinting.

How about these:
0 - CERT-CA
1 - CERT-EE
2 - ROOT-TA
3 - JUST-EE

0 can be either a root CA, or intermediate CA. If the latter, this cert
itself must PKIX-validate.
2 can be either a root CA, or another trust anchor - but must be the root
of the validation chain either way.
1 requires PKIX validation, 3 does not, hence "just" an End Entity.

Thus, a ROOT-CA cert, can be used as either type 0 or type 2 - but that is
the only likely place where there is likely confusion.
(Of course, if your EE is a root CA, it could be type 1 - but then you are
clearly insane. :-))

Brian

On 12/2/13 5:15 PM, "Viktor Dukhovni" <viktor1dane@dukhovni.org> wrote:

>On Mon, Dec 02, 2013 at 04:34:37PM -0500, James Cloos wrote:
>
>> My pref is that the suffices be the same for each of the prefices,
>> therefore PKIX-TA vs DANE-TA vs PKIX-EE vs DANE-EE.
>
>I'm all for neatly aligned text, and I appreciate the increased
>cosmetic appeal, but surely the fact that this masks semantic
>differences is more important.
>
>    The CA in usage 0 is not a trust anchor, but it is in usage 2.
>
>    The chain in usage 2 still requires PKIX validation, be it with
>    a dynamically obtained trust anchor.
>
>So PKIX-TA and DANE-TA are each misleading, the first is not a TA,
>the second is still PKIX.  Are the acronyms just supposed to be
>more memorable than the numbers, or are they supposed to concisely
>convey the associated meaning?
>
>-- 
>	Viktor.
>_______________________________________________
>dane mailing list
>dane@ietf.org
>https://www.ietf.org/mailman/listinfo/dane