Re: [dane] On the PKIX-TA / PKIX-CA question… [ One week WGLC ]

Bry8 Star <bry8star@inventati.org> Wed, 04 December 2013 05:34 UTC

Return-Path: <bry8star@inventati.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 393191AE1EA for <dane@ietfa.amsl.com>; Tue, 3 Dec 2013 21:34:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.102
X-Spam-Level:
X-Spam-Status: No, score=-1.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_44=0.6, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EtOzT_kb_vPZ for <dane@ietfa.amsl.com>; Tue, 3 Dec 2013 21:34:47 -0800 (PST)
Received: from latitanza.investici.org (latitanza.investici.org [82.94.249.234]) by ietfa.amsl.com (Postfix) with ESMTP id 770EC1AE03F for <dane@ietf.org>; Tue, 3 Dec 2013 21:34:47 -0800 (PST)
Received: from [82.94.249.234] (latitanza [82.94.249.234]) (Authenticated sender: bry8star@inventati.org) by localhost (Postfix) with ESMTPSA id 559E1984BE for <dane@ietf.org>; Wed, 4 Dec 2013 05:34:41 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inventati.org; s=stigmate; t=1386135283; bh=9Ew8UdDHt8LhHsHhn1ITf0KCNdiAWouDsEn8CV5PdRc=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=iohR6RNKnE/0r3OwXoR4Q3dL0AeoJKGKWzHAcBF4zPuAqqy02DhSvK4SH7e3S89nC Vdf+T0Hs5T5pmk5C0qfENWFNykHsDKdF3NAMtVgLeaXQYmfAu2QhY71/E3fC7uGNdS 8WfX65YtPwH1xkoc2+QPIj3nNmS8oujqj+LLbxjo=
Message-ID: <529EBF12.8000101@inventati.org>
Date: Tue, 03 Dec 2013 21:35:14 -0800
From: Bry8 Star <bry8star@inventati.org>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: dane@ietf.org
References: <A06891E1-01E0-40CC-A9A2-171CAA39AB79@kumari.net>
In-Reply-To: <A06891E1-01E0-40CC-A9A2-171CAA39AB79@kumari.net>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [dane] =?windows-1252?q?On_the_PKIX-TA_/_PKIX-CA_question=85_=5B_?= =?windows-1252?q?One_week_WGLC_=5D?=
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: bry8star@inventati.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2013 05:34:50 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

U = Usage
DANE = TLSA
PKIX = PKIX certification path validation (CPV)
EE = End entity.

That <something> can be DOI or ZOI (Domain/Zone Owner Issued) ? ?
or DI / ZI  (Domain/Zone Issued).

This 4 U categories are not enough, as "The Certificate Usage Field"
(Section 2.1.1 of RFC 6698).

*Please add* at least few more appropriate category for declaring
very accurately & correctly, so that no confusion exists, for
publicly declaring to others: (A) INTERMEDIATE CA or TA certs (under
U=0 & U=2), (B) a category for EE certs with PKIX *AND* DANE check
under TA (U=2) certs (if U=1 is not for that purpose).

Joining suggestion from this thread:
0 - "CA constraint" = CA-CHECK = PKIX-CA = LIMIT-CA = REQUIRED-CA
    = CA-LOVER
1 - "service certificate constraint" = EE-CHECK = LIMIT-EE
    = REQUIRED-LEAF = CA-SLAVE
2 - "trust anchor assertion" = DANE-TA = PKIX-TA = TRUSTED-CA = CA-OWNER
3 - "domain-issued certificate" = DANE-EE = MATCHING-LEAF = CA-HATER

U = 0 can be used for either a TA or CA cert declaration.
U = 2 is for Domain-issued TA cert declaration.
U = 3 is for Domain-issued EE cert declaration.

TLSA = DANE

So these seems to be appropriate from my point of view for now:
0 = 3PI-CA:TLSA+PKIX  (for 3rd Party Issued CA or TA cert)
  or 3PI-TA
1 = EE:TLSA+PKIX  (for End entity cert)
2 = DOI-TA:TLSA+PKIX  (for Domain Owner Issued TA cert)
  or ZOI-TA  (for Zone Owner Issued TA cert)
3 = DOI-EE:TLSA+NO-PKIX (for Domain Owner Issued EE cert)
  or ZOI-EE

TLSA = DANE

U = 1 type of SSL cert declaration, (are PKIX+TLSA *checked*),
and 1 can be:
either under the U = 0 (are also PKIX+DANE *checked*) cert,
or can be under the U = 2 (are PKIX+DANE *checked*) cert.

Since U = 3 DO *NOT* REQUIRE a PKIX CPV check,
then, *WHERE* is the EE-DANE+PKIX-CHECKED category !? for declaring
certs that are under U=2 ?

So, can U = 1 type cert TLSA(DANE) declaration, be used for such
certs, which can be either under a CA (U=0) or under a TA (U=2), to
me this seems to make sense.
Then U=1 can serve EE_DANE+PKIX_CHECKED, for both U=0 & U=2.

BrS



Received from Warren Kumari, on 2013-12-02 10:44 AM:
> Hi all,
> 
> So, it seems that I judged consensus without enough data. I should know by now that naming things is always a fun topic :-)
> 
> So, lets try and get this "what to call it" question nailed down once and for all.
> 
> Please express a preference for:
> 
> PKIX-TA
> PKIX-CA
> DANE-<something>
> 
> I don't think that anyone really *loves* any of the above, so an even better outcome is that someone proposes a better acronym that everyone likes...
> 
> We are keeping this to 1 week -- please get a response in before Monday, Dec 9th.
> 
> W
> 



Reference, from RFC 6698:

Hoffman & Schlyter           Standards Track                    [Page 7]
RFC 6698            DNS-Based Authentication for TLS         August 2012

0 -- Certificate usage 0 is used to specify a CA certificate, or
  the public key of such a certificate, that MUST be found in any of
  the PKIX certification paths for the end entity certificate given
  by the server in TLS.  This certificate usage is sometimes
  referred to as "CA constraint" because it limits which CA can be
  used to issue certificates for a given service on a host.  The
  presented certificate MUST pass PKIX certification path
  validation, and a CA certificate that matches the TLSA record MUST
  be included as part of a valid certification path.  Because this
  certificate usage allows both trust anchors and CA certificates,
  the certificate might or might not have the basicConstraints
  extension present.

1 -- Certificate usage 1 is used to specify an end entity
  certificate, or the public key of such a certificate, that MUST be
  matched with the end entity certificate given by the server in
  TLS.  This certificate usage is sometimes referred to as "service
  certificate constraint" because it limits which end entity
  certificate can be used by a given service on a host.  The target
  certificate MUST pass PKIX certification path validation and MUST
  match the TLSA record.

2 -- Certificate usage 2 is used to specify a certificate, or the
  public key of such a certificate, that MUST be used as the trust
  anchor when validating the end entity certificate given by the
  server in TLS.  This certificate usage is sometimes referred to as
  "trust anchor assertion" and allows a domain name administrator to
  specify a new trust anchor -- for example, if the domain issues
  its own certificates under its own CA that is not expected to be
  in the end users' collection of trust anchors.  The target
  certificate MUST pass PKIX certification path validation, with any
  certificate matching the TLSA record considered to be a trust
  anchor for this certification path validation.

3 -- Certificate usage 3 is used to specify a certificate, or the
  public key of such a certificate, that MUST match the end entity
  certificate given by the server in TLS.  This certificate usage is
  sometimes referred to as "domain-issued certificate" because it
  allows for a domain name administrator to issue certificates for a
  domain without involving a third-party CA.  The target certificate
  MUST match the TLSA record.  The difference between certificate
  usage 1 and certificate usage 3 is that certificate usage 1
  requires that the certificate pass PKIX validation, but PKIX
  validation is not tested for certificate usage 3.

Note: Pls make sure to reply only into one email
      address: dane@ietf.org , when you reply, Thanks in advance.
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJSnr8SXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDNzBGRDNEMDcwRUI1Q0FERkMwNDBGQ0I4
MEY2OEE0NjFGNTkyM0ZBAAoJEID2ikYfWSP6O3oP/0e6+6BPo2FsASnXLgdcbp08
qc2GHTH6brZ4S/qAswgj/VIJRE/1/SFQhZHAtRlRz96GIoZZ1g9WrIjsXt4qsmto
74jJqC9Ay3fa2dj9qVJZSpLcImDtnVoZIvaXkfCDS6afU3anTa5KjUFoNS3PRHjg
KX1eiNzP+4r1phf+gQNv8OOxRM54/FHvmfx5f0T34Ac9bv80NHNUNZR1VpsGCxBB
uKVB+gIF6Pnt/RP+XN9wAdT7cOPmPdNIVN39ebqsgt3MGL694otr3rUlczSD+OcD
tpAv+uEhdXUQN5RZt9z2cwxxh3V6iM1vQhoHRA3eHYgkrB3TOhKwmJRNuDREAVnd
kLXn6fLei+asvauVlyFYACjmdk8tTPJ1wCDb3FumbYOZ3u8guXuAfLOJdJYGLbSP
c2RKu0GJq9DtIxQqTKIHz32Tydf3VccAy2e/C9IxuHcfiVqbq6rTE1kYxbci6zv9
1EvFH+QKVRiZg2OzGFmLqu0tzD/QGsIjTBVpvIc2CVru52RsmzSGDxLaFsozf7PS
kAkQN1q44PGUstixajhtpE9BYQ3ZiyTrG5LSciG8yzLNbSmajFm29GSs//GU60SB
zLTt7JNJnvmoHzVfVCE1LkoMw/zve+xdvStwIuo47fCOV/AHntxJ+hI0rRLK/Bbr
nQvVKM+49opvJY9Bdzwj
=rwXE
-----END PGP SIGNATURE-----