[dane] [Errata Rejected] RFC6698 (3594)
RFC Errata System <rfc-editor@rfc-editor.org> Mon, 19 September 2016 14:30 UTC
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B090812B3CF; Mon, 19 Sep 2016 07:30:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.918
X-Spam-Level:
X-Spam-Status: No, score=-104.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-2.316, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kOnH2xMLvLT5; Mon, 19 Sep 2016 07:30:11 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C0C612B05C; Mon, 19 Sep 2016 07:30:11 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 7BDC2B80F83; Mon, 19 Sep 2016 07:30:11 -0700 (PDT)
To: viktor1dane@dukhovni.org, paul.hoffman@vpnc.org, jakob@kirei.se
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Message-Id: <20160919143011.7BDC2B80F83@rfc-editor.org>
Date: Mon, 19 Sep 2016 07:30:11 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/Kur9Ylgtso8tyUmIfMMYsFs0hK0>
Cc: rfc-editor@rfc-editor.org, dane@ietf.org, iesg@ietf.org
Subject: [dane] [Errata Rejected] RFC6698 (3594)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Sep 2016 14:30:16 -0000
The following errata report has been rejected for RFC6698, "The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=6698&eid=3594 -------------------------------------- Status: Rejected Type: Technical Reported by: Viktor Dukhovni <viktor1dane@dukhovni.org> Date Reported: 2013-04-16 Rejected by: Stephen Farrell (IESG) Section: 2.1.1 Original Text ------------- 2 -- Certificate usage 2 is used to specify a certificate, or the public key of such a certificate, that MUST be used as the trust anchor when validating the end entity certificate given by the server in TLS. This certificate usage is sometimes referred to as "trust anchor assertion" and allows a domain name administrator to specify a new trust anchor -- for example, if the domain issues its own certificates under its own CA that is not expected to be in the end users' collection of trust anchors. The target certificate MUST pass PKIX certification path validation, with any certificate matching the TLSA record considered to be a trust anchor for this certification path validation. Corrected Text -------------- 2 -- Certificate usage 2 is used to specify a certificate, or the public key of such a certificate, that MUST be used as the trust anchor when validating the end entity certificate given by the server in TLS. This certificate usage is sometimes referred to as "trust anchor assertion" and allows a domain name administrator to specify a new trust anchor -- for example, if the domain issues its own certificates under its own CA that is not expected to be in the end users' collection of trust anchors. The target certificate MUST pass PKIX certification path validation, with any certificate matching the TLSA record considered to be a trust anchor for this certification path validation. Since clients cannot be presumed to have their own copy of the trust-anchor certificate, when the TLSA association specifies a certificate digest, the TLS server MUST be configured to provide the trust-anchor certificate in its "certificate_list" TLS handshake message. Notes ----- As per discussion on the DANE WG list, this was overtaken by events and so is rejected. This is critical for interoperability between clients and servers. A client that commits to verify TLSA RR certificate associations will fail if it can't obtain the required certificates. With usage "2" there is no presumption that these are available to the client. If servers are not obligated to provide them the protocol will consistently fail. With non-interactive protocols where there is no user to "click OK", such as SMTP, there is no good work-around and both client and server owners suffer. --VERIFIER NOTES-- As per discussion on the DANE WG list, this was overtaken by events and so is rejected. -------------------------------------- RFC6698 (draft-ietf-dane-protocol-23) -------------------------------------- Title : The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA Publication Date : August 2012 Author(s) : P. Hoffman, J. Schlyter Category : PROPOSED STANDARD Source : DNS-based Authentication of Named Entities Area : Security Stream : IETF Verifying Party : IESG
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Martin Rex
- [dane] [Technical Errata Reported] RFC6698 (3594) RFC Errata System
- Re: [dane] [Technical Errata Reported] RFC6698 (3… John Gilmore
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Richard Barnes
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Viktor Dukhovni
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Paul Hoffman
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Viktor Dukhovni
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Jakob Schlyter
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Martin Rex
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Paul Hoffman
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Martin Rex
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Paul Hoffman
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Richard Barnes
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Viktor Dukhovni
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Martin Rex
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Viktor Dukhovni
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Paul Hoffman
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Martin Rex
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Viktor Dukhovni
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Andrew Sullivan
- [dane] unseen errata, was Re: [Technical Errata R… Paul Wouters
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Viktor Dukhovni
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Martin Rex
- Re: [dane] unseen errata, was Re: [Technical Erra… Paul Hoffman
- Re: [dane] [Technical Errata Reported] RFC6698 (3… SM
- Re: [dane] [Technical Errata Reported] RFC6698 (3… SM
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Viktor Dukhovni
- Re: [dane] [Technical Errata Reported] RFC6698 (3… SM
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Viktor Dukhovni
- Re: [dane] [Technical Errata Reported] RFC6698 (3… SM
- [dane] DANE operational requirements Paul Hoffman
- Re: [dane] DANE operational requirements Viktor Dukhovni
- Re: [dane] DANE operational requirements nudge
- Re: [dane] DANE operational requirements Paul Hoffman
- Re: [dane] DANE operational requirements Lawrence Conroy
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Andrew Sullivan
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Martin Rex
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Ondřej Surý
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Andrew Sullivan
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Ondřej Surý
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Paul Hoffman
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Paul Hoffman
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Viktor Dukhovni
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Paul Hoffman
- Re: [dane] [Technical Errata Reported] RFC6698 (3… ondrej.sury
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Warren Kumari
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Wes Hardaker
- Re: [dane] [Technical Errata Reported] RFC6698 (3… James Cloos
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Martin Rex
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Warren Kumari
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Viktor Dukhovni
- Re: [dane] [Technical Errata Reported] RFC6698 (3… Warren Kumari
- [dane] [Errata Rejected] RFC6698 (3594) RFC Errata System