Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym

Viktor Dukhovni <viktor1dane@dukhovni.org> Fri, 20 September 2013 02:11 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB44721F864D for <dane@ietfa.amsl.com>; Thu, 19 Sep 2013 19:11:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MbKiJJTtzc2N for <dane@ietfa.amsl.com>; Thu, 19 Sep 2013 19:11:29 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [208.77.212.107]) by ietfa.amsl.com (Postfix) with ESMTP id C77AC21F8640 for <dane@ietf.org>; Thu, 19 Sep 2013 19:11:29 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id EDF572AB07E; Fri, 20 Sep 2013 02:11:24 +0000 (UTC)
Date: Fri, 20 Sep 2013 02:11:24 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20130920021124.GE29796@mournblade.imrryr.org>
References: <20130919201216.14866.61161.idtracker@ietfa.amsl.com> <EACEEB05-2023-4F76-A6FE-A9B2FDC0AA59@kumari.net> <m361twqxn9.fsf@carbon.jhcloos.org> <20130919221035.GC29796@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20130919221035.GC29796@mournblade.imrryr.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2013 02:11:35 -0000

On Thu, Sep 19, 2013 at 10:10:35PM +0000, Viktor Dukhovni wrote:

> Agreed on PKIX-TA vs. PKIX-CA.

On second thought, I am not so sure, the CA constraint with usage
0, is NOT a trust-anchor, the trust-anchor is still the PKIX root CA.

This usage requires the presence of a given CA (root or intermediate)
in the chain, but does not promote that CA to a trust anchor (as
with usage 2).  So perhaps the original PKIX-CA is in fact better.

-- 
	Viktor.