Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym

Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 07 October 2013 15:57 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDCD121E81CC for <dane@ietfa.amsl.com>; Mon, 7 Oct 2013 08:57:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xKzdPIW-KPAo for <dane@ietfa.amsl.com>; Mon, 7 Oct 2013 08:57:19 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [208.77.212.107]) by ietfa.amsl.com (Postfix) with ESMTP id E5FC921E81DB for <dane@ietf.org>; Mon, 7 Oct 2013 08:56:48 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 3A9E12AAF85; Mon, 7 Oct 2013 15:56:42 +0000 (UTC)
Date: Mon, 07 Oct 2013 15:56:42 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131007155642.GH483@mournblade.imrryr.org>
References: <20130919201216.14866.61161.idtracker@ietfa.amsl.com> <EACEEB05-2023-4F76-A6FE-A9B2FDC0AA59@kumari.net> <024c01cec2dc$72b596e0$5820c4a0$@augustcellars.com> <20131006224742.GA483@mournblade.imrryr.org> <02e201cec370$b6d9e5d0$248db170$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <02e201cec370$b6d9e5d0$248db170$@augustcellars.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2013 15:57:25 -0000

On Mon, Oct 07, 2013 at 08:20:10AM -0700, Jim Schaad wrote:

> However they would not use DANE-TA in the event that a key ring that was
> self-signed was to be used to validate a second key wrong.

[ Typo for "ring" as "rong" auto-corrected to "wrong".

"Damn you auto-connect!"
Oops, sorry: "Damn you auto-corrupt!"
Oh, never mind...  ]

> In this case
> there is a root of trust (i.e. a TA) and then a second level signed PGP key
> which is used in the TLS session to do the appropriate things.  This allows
> for the TLS key to be rotated more frequently.  But there is no PKIX
> validation in this case and thus the use of DANE-TA, which seems logical, is
> wrong.

The DANE usages defined thus far are for TLS with X.509v3 certificates.
These may be self-signed, issued by a private self-signed TA, or
issued by a public CA.

I don't see where hypothetical PGP certificates fit in.

-- 
	Viktor.