IETF Logo Mail Archive

Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym

Viktor Dukhovni <viktor1dane@dukhovni.org> Sun, 06 October 2013 22:47 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 288EE21E80E4 for <dane@ietfa.amsl.com>; Sun, 6 Oct 2013 15:47:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ZPDs9ObdwL5 for <dane@ietfa.amsl.com>; Sun, 6 Oct 2013 15:47:49 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [208.77.212.107]) by ietfa.amsl.com (Postfix) with ESMTP id B38D421E80E1 for <dane@ietf.org>; Sun, 6 Oct 2013 15:47:45 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 6C39C2AAD93; Sun, 6 Oct 2013 22:47:42 +0000 (UTC)
Date: Sun, 06 Oct 2013 22:47:42 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131006224742.GA483@mournblade.imrryr.org>
References: <20130919201216.14866.61161.idtracker@ietfa.amsl.com> <EACEEB05-2023-4F76-A6FE-A9B2FDC0AA59@kumari.net> <024c01cec2dc$72b596e0$5820c4a0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <024c01cec2dc$72b596e0$5820c4a0$@augustcellars.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Oct 2013 22:47:54 -0000

On Sun, Oct 06, 2013 at 02:38:50PM -0700, Jim Schaad wrote:

> 5.  As I have stated before, I am not a fan of using DANE-TA for value 2.
> To me this loses the fact that there will be PKIX processing that occurs
> with this section.  I would strongly recommend that this become PKIX-TA.

I think that would confuse almost everyone.  The "PKI" part of PKIX
carries inappropriate in this context mental baggage.

Yes, any trust-anchor implies validating certificate chains,
performing name on the leaf, ...  Thus the mechanics of validating
usage 2 associations are very similar to the mechanics of doing
the same with an a-priori configured public CA trust anchor.  Alas,
when one hears PKIX, the associated mental baggage includes the
full panoply of public CAs and not does evoke the decentralized
DANE model.

Thus "TA" is IMHO already sufficient to imply all the relevant
technical features, without evoking unwanted mental associations.

> The use of PKIX-TA for the value of 0 never made any sense since there is
> not trust anchor decision that is associated with the certificate in this
> record.  The only two records currently that have a trust anchor, as oppose
> to a constraint, component are 2 and 3. 

Here, I've already agreed with you upthread, I think PKIX-CA is
better here (Paul Hoffman disagreed, but frankly I am not sure
how his response applies to the question at hand).

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email