Re: [dane] Draft for serializing DNSSEC chains
"Osterweil, Eric" <eosterweil@verisign.com> Thu, 30 June 2011 14:52 UTC
Return-Path: <eosterweil@verisign.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB07F11E80D4 for <dane@ietfa.amsl.com>; Thu, 30 Jun 2011 07:52:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f997moB5r2RI for <dane@ietfa.amsl.com>; Thu, 30 Jun 2011 07:52:39 -0700 (PDT)
Received: from exprod6og102.obsmtp.com (exprod6og102.obsmtp.com [64.18.1.183]) by ietfa.amsl.com (Postfix) with ESMTP id 7820211E8092 for <dane@ietf.org>; Thu, 30 Jun 2011 07:52:36 -0700 (PDT)
Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob102.postini.com ([64.18.5.12]) with SMTP ID DSNKTgyNtKSwynXBLVxceYHvrGBLhQbXkx/a@postini.com; Thu, 30 Jun 2011 07:52:38 PDT
Received: from dul1wnexcn01.vcorp.ad.vrsn.com (dul1wnexcn01.vcorp.ad.vrsn.com [10.170.12.138]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id p5UEqZhI030157; Thu, 30 Jun 2011 10:52:35 -0400
Received: from DUL1WNEXMB11.vcorp.ad.vrsn.com ([10.170.13.11]) by dul1wnexcn01.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 30 Jun 2011 10:52:34 -0400
Received: from 10.131.30.110 ([10.131.30.110]) by DUL1WNEXMB11.vcorp.ad.vrsn.com ([10.170.13.11]) with Microsoft Exchange Server HTTP-DAV ; Thu, 30 Jun 2011 14:51:46 +0000
User-Agent: Microsoft-Entourage/12.29.0.110113
Date: Thu, 30 Jun 2011 10:51:45 -0400
From: "Osterweil, Eric" <eosterweil@verisign.com>
To: Adam Langley <agl@imperialviolet.org>, dane@ietf.org
Message-ID: <CA3205C1.CE0D%eosterweil@verisign.com>
Thread-Topic: [dane] Draft for serializing DNSSEC chains
Thread-Index: Acw1wGuG0OumIrkES2mNmxIF/rfnfABdM+BS
In-Reply-To: <BANLkTinugTJB-xhSekN4jn6c9Bv7KcJEFsCa+ZxnwTBcydtXjQ@mail.gmail.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 30 Jun 2011 14:52:34.0907 (UTC) FILETIME=[58C60AB0:01CC3735]
Subject: Re: [dane] Draft for serializing DNSSEC chains
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2011 14:52:40 -0000
On 6/28/11 2:22 PM, "Adam Langley" <agl@imperialviolet.org> wrote: > As promised. (This is also the format that Chrome is using for it's > DNSSEC stapled certificate support.) > > http://tools.ietf.org/html/draft-agl-dane-serializechain-00 I think I may be missing something here, so can someone clarify the following for me: what happens if someone encodes the chain of trust in one of these certs, and then the zones in that chain change their keys (rollovers, revocations, etc.)? Isn't encoding a dynamic chain of trust in a static cert a requirements mismatch? Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains =JeffH
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Rickard Bellgrim
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Stephen Farrell
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Mark Andrews
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Rickard Bellgrim
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Marc Lampo
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Matt McCutchen
- Re: [dane] Draft for serializing DNSSEC chains Paul Wouters
- Re: [dane] Draft for serializing DNSSEC chains Matt McCutchen
- Re: [dane] Draft for serializing DNSSEC chains Osterweil, Eric
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Olafur Gudmundsson
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Richard L. Barnes
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Eric Osterweil
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains John Gilmore
- Re: [dane] Draft for serializing DNSSEC chains Jakob Schlyter
- Re: [dane] Draft for serializing DNSSEC chains Martin Rex
- Re: [dane] Draft for serializing DNSSEC chains Phillip Hallam-Baker
- Re: [dane] Draft for serializing DNSSEC chains Tony Finch
- Re: [dane] Draft for serializing DNSSEC chains Jakob Schlyter
- Re: [dane] Draft for serializing DNSSEC chains Jim Schaad
- Re: [dane] Draft for serializing DNSSEC chains Adam Langley