Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym

> -----Original Message-----
> From: dane-bounces@ietf.org [mailto:dane-bounces@ietf.org] On Behalf Of
> Viktor Dukhovni
> Sent: Monday, October 07, 2013 8:57 AM
> To: dane@ietf.org
> Subject: Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym
> 
> On Mon, Oct 07, 2013 at 08:20:10AM -0700, Jim Schaad wrote:
> 
> > However they would not use DANE-TA in the event that a key ring that
> > was self-signed was to be used to validate a second key wrong.
> 
> [ Typo for "ring" as "rong" auto-corrected to "wrong".
> 
> "Damn you auto-connect!"
> Oops, sorry: "Damn you auto-corrupt!"
> Oh, never mind...  ]
> 
> > In this case
> > there is a root of trust (i.e. a TA) and then a second level signed
> > PGP key which is used in the TLS session to do the appropriate things.
> > This allows for the TLS key to be rotated more frequently.  But there
> > is no PKIX validation in this case and thus the use of DANE-TA, which
> > seems logical, is wrong.
> 
> The DANE usages defined thus far are for TLS with X.509v3 certificates.
> These may be self-signed, issued by a private self-signed TA, or issued by
a
> public CA.
> 
> I don't see where hypothetical PGP certificates fit in.

It was an attempt to point out that trust anchors could be done for more
than just PKIX certificates, but it apparently did not succeed.  The issue
is that if you have a PGP trust anchor and a PKIX trust anchor they should
probably not have the same descriptive name (and hence value) since the side
semantics are not the same.

Jim

> 
> --
> 	Viktor.
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane