Re: [dane] Draft for serializing DNSSEC chains
Rickard Bellgrim <rickardb@certezza.net> Wed, 29 June 2011 18:09 UTC
Return-Path: <rickardb@certezza.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6348821F85CA for <dane@ietfa.amsl.com>; Wed, 29 Jun 2011 11:09:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.53
X-Spam-Level:
X-Spam-Status: No, score=-5.53 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DATE_IN_PAST_06_12=1.069, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hPWya4Cj2pbF for <dane@ietfa.amsl.com>; Wed, 29 Jun 2011 11:09:06 -0700 (PDT)
Received: from mx1.certezza.net (mx2.certezza.net [82.99.51.26]) by ietfa.amsl.com (Postfix) with ESMTP id B6D0121F85C7 for <dane@ietf.org>; Wed, 29 Jun 2011 11:09:06 -0700 (PDT)
From: Rickard Bellgrim <rickardb@certezza.net>
To: Adam Langley <agl@imperialviolet.org>, "dane@ietf.org" <dane@ietf.org>
Date: Wed, 29 Jun 2011 08:19:05 +0200
Thread-Topic: [dane] Draft for serializing DNSSEC chains
Thread-Index: Acw1wIZd2jLbCNZ2STWKmWAFQ6o9mAAY1GsQ
Message-ID: <7ADA424A25710B41B7C8201DA111AF190882236CA1@mail01.certezza.local>
References: <BANLkTinugTJB-xhSekN4jn6c9Bv7KcJEFsCa+ZxnwTBcydtXjQ@mail.gmail.com>
In-Reply-To: <BANLkTinugTJB-xhSekN4jn6c9Bv7KcJEFsCa+ZxnwTBcydtXjQ@mail.gmail.com>
Accept-Language: sv-SE
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: sv-SE
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Received-SPF: none
Subject: Re: [dane] Draft for serializing DNSSEC chains
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2011 18:09:07 -0000
> -----Original Message----- > From: dane-bounces@ietf.org [mailto:dane-bounces@ietf.org] On Behalf Of > Adam Langley > Sent: den 28 juni 2011 20:23 > To: dane@ietf.org > Subject: [dane] Draft for serializing DNSSEC chains > > As promised. (This is also the format that Chrome is using for it's DNSSEC > stapled certificate support.) > > http://tools.ietf.org/html/draft-agl-dane-serializechain-00 Isn't the initial_key_tag a little bit weak as a trust anchor? You could easily get a collision here. Perhaps using the DS as initial_ds instead of initial_key_tag? // Rickard
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains =JeffH
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Rickard Bellgrim
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Stephen Farrell
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Rickard Bellgrim
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Marc Lampo
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Matt McCutchen
- Re: [dane] Draft for serializing DNSSEC chains Paul Wouters
- Re: [dane] Draft for serializing DNSSEC chains Matt McCutchen
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Olafur Gudmundsson
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains John Gilmore
- Re: [dane] Draft for serializing DNSSEC chains Jakob Schlyter
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Jakob Schlyter
- Re: [dane] Draft for serializing DNSSEC chains Jim Schaad
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley