Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 09 December 2013 01:32 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1B7D1AE19B for <dane@ietfa.amsl.com>; Sun, 8 Dec 2013 17:32:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h_afvHWp_bm5 for <dane@ietfa.amsl.com>; Sun, 8 Dec 2013 17:32:27 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id D14C21AE198 for <dane@ietf.org>; Sun, 8 Dec 2013 17:32:26 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id B91C22AABD1; Mon, 9 Dec 2013 01:32:21 +0000 (UTC)
Date: Mon, 09 Dec 2013 01:32:21 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131209013221.GV761@mournblade.imrryr.org>
References: <A06891E1-01E0-40CC-A9A2-171CAA39AB79@kumari.net> <20131205175314.GH761@mournblade.imrryr.org> <E78C07CA-B742-43B2-8848-33DEB22A8014@kumari.net> <201312080234.rB82YeoW029387@new.toad.com> <20131208235315.GU761@mournblade.imrryr.org> <20131209010945.5AA2FB5C445@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20131209010945.5AA2FB5C445@rock.dv.isc.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2013 01:32:29 -0000
On Mon, Dec 09, 2013 at 12:09:44PM +1100, Mark Andrews wrote: > > I am not fundamentally opposed to human-readable TLSA RRs: > > > > ; _25._tcp.mx.example.com. IN TLSA 3 1 2 > > _25._tcp.mx.example.com. IN TLSA TRUSTED-LEAF PUBLIC-KEY SHA2-512 {blob}[ > > If anything other than numeric values appear in the records you > will break existing TLSA record parsers. Names are useful when > describing things. ... Thanks, finally I said something wrong enough, to elicit a follow-up! :-) Yes, tools that emit records in canonical form should use numbers. Users may elect to enter mnemonic forms when supported by the target application. Now that you're here, any suggestions for good names, or thoughts on what to do with the draft? > TLSA, like DNSKEY, will need tools to take certs etc. and generate > TLSA records. Those tools can use names but they emit records in > numeric form. A humble example below. -- Viktor. #! /bin/sh extract() { case "$(echo $4 | tr '[A-Z]' '[a-z]')" in 0|cert*) openssl x509 -in "$1" -outform DER;; 1|spki|public*) openssl x509 -in "$1" -noout -pubkey | openssl pkey -pubin -outform DER;; *) error "Invalid selector: $4";; esac } digest() { case "$(echo $5 | tr '[A-Z]' '[a-z]')" in 0|full*) cat;; 1|sha2-256|sha256|sha-256) openssl dgst -sha256 -binary;; 2|sha2-512|sha512|sha-512) openssl dgst -sha512 -binary;; *) error "Invalid matching type: $5";; esac } encode() { perl -e ' ($cert, $hostport, $u, $s, $m) = @ARGV; ($host, $port) = split(":", $hostport); $port ||= 443; $/=undef; ($a=<STDIN>) =~ s/(.)/sprintf("%02X", ord($1))/egs; printf "_%d._tcp.%s. IN TLSA %d %d %d %s\n", $port, $host, $u, $s, $m, $a; ' "$@" } error() { echo "$1" 1>&2; exit 1; } usage() { error "Usage: $0 cert.pem host[:port] usage selector mtype"; } if [ $# -ne 5 ]; then usage; fi case "$(echo $3 | tr '[A-Z]' '[a-z]')" in 0|PKIX-CA|PKIX-TA|VALID-CA) usage=0;; 1|PKIX-EE|VALID-LEAF) usage=1;; 2|DANE-TA|TRUSTED-CA) usage=2;; 3|DANE-EE|TRUSTED-LEAF) usage=3;; *) error "Invalid certificate usage: $3";; esac extract "$@" | digest "$@" | encode "$@"
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… Bry8 Star
- [dane] On the PKIX-TA / PKIX-CA question… [ One w… Warren Kumari
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… James Cloos
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Dickson, Brian
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… John Gilmore
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Warren Kumari
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… John Gilmore
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Mark Andrews
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Jakob Schlyter
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… James Cloos
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Jakob Schlyter
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Stephen Kent
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Stephen Kent
- Re: [dane] DANE, constrains and CT and similar.... Warren Kumari
- [dane] OpenSSL DANE support... Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… Wes Hardaker
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Wes Hardaker