Re: [dane] DANE Client Authentication draft updated
James Cloos <cloos@jhcloos.com> Tue, 12 January 2016 20:07 UTC
Return-Path: <cloos@jhcloos.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 086481A882F for <dane@ietfa.amsl.com>; Tue, 12 Jan 2016 12:07:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ljl5gAVlrxEd for <dane@ietfa.amsl.com>; Tue, 12 Jan 2016 12:07:21 -0800 (PST)
Received: from ore.jhcloos.com (ore.jhcloos.com [198.147.22.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 785B61A8823 for <dane@ietf.org>; Tue, 12 Jan 2016 12:07:20 -0800 (PST)
Received: by ore.jhcloos.com (Postfix, from userid 10) id BD79E1E541; Tue, 12 Jan 2016 20:07:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=ore14; t=1452629239; bh=LuLysf+7SEaB67SSYX2CFOVwOmLA6bhlrnx5vq1+gv0=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=kxG7emiLACJWVrLqReYSkCoOSu3VmYAdizoOz+rNGWx8o+NUuZ3b7NvGv08YjaSAY qO+xa4DEkoXDDZSclV1EqQLLEOO2bPi3cp9UdBFzk8MPRmOeWnNWsxOJARndq1R024 qHPSAQjmc9D7cdWa4tY2so4u/8d+varpYlAe8nJM=
Received: by carbon.jhcloos.org (Postfix, from userid 500) id 90CAF1003CD26; Tue, 12 Jan 2016 20:05:51 +0000 (UTC)
From: James Cloos <cloos@jhcloos.com>
To: Shumon Huque <shuque@gmail.com>
In-Reply-To: <CAHPuVdXb3HJfxayJbAqjYu4aYrHaJgeSrAVJ1GcnL863-6g7-Q@mail.gmail.com> (Shumon Huque's message of "Tue, 12 Jan 2016 10:15:36 -0500")
References: <CAHPuVdXb3HJfxayJbAqjYu4aYrHaJgeSrAVJ1GcnL863-6g7-Q@mail.gmail.com>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/25.1.50 (gnu/linux)
Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQAgMAAABinRfyAAAACVBMVEX///8ZGXBQKKnCrDQ3 AAAAJElEQVQImWNgQAAXzwQg4SKASgAlXIEEiwsSIYBEcLaAtMEAADJnB+kKcKioAAAAAElFTkSu QmCC
Copyright: Copyright 2015 James Cloos
OpenPGP: 0x997A9F17ED7DAEA6; url=https://jhcloos.com/public_key/0x997A9F17ED7DAEA6.asc
OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Date: Tue, 12 Jan 2016 15:05:51 -0500
Message-ID: <m3ziwa8sww.fsf@carbon.jhcloos.org>
Lines: 19
MIME-Version: 1.0
Content-Type: text/plain
X-Hashcash: 1:28:160112:shuque@gmail.com::gwg6n/TziGHVhhbB:CV1Rk
X-Hashcash: 1:28:160112:dane\@ietf.org\::NreWfb2pXJNtZMif:0BtsFH
X-Hashcash: 1:28:160112:dane@ietf.org::eIaEExIPu3Bp+QHF:0002eJPK
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/dKYXE4hmN3flT1ExtO5g2tzH2lw>
Cc: "<dane@ietf.org>" <dane@ietf.org>
Subject: Re: [dane] DANE Client Authentication draft updated
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2016 20:07:24 -0000
For draft-huque-dane-client-cert I'd still prefer RR names like: _smtp._client.example for the cert provided by an smtp client which HELO/EHLOs as example. And similarly for other protocols. Rather than things like _smtp-client. Putting all of the client TLSAs under a single label allows (but obviously does not require) them to be in their own zone. Than can be useful. And in the case where the proposed tls extension is not used, it should be OK for the name to be in CN, too. So something like 'MUST be in either dnsName or CN, but SHOULD be in the dnsName'. -JimC -- James Cloos <cloos@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
- [dane] DANE Client Authentication draft updated Shumon Huque
- Re: [dane] DANE Client Authentication draft updat… James Cloos
- Re: [dane] DANE Client Authentication draft updat… Shumon Huque
- Re: [dane] DANE Client Authentication draft updat… Viktor Dukhovni
- Re: [dane] DANE Client Authentication draft updat… John Levine
- Re: [dane] DANE Client Authentication draft updat… Shumon Huque
- Re: [dane] DANE Client Authentication draft updat… Shumon Huque
- Re: [dane] DANE Client Authentication draft updat… Kim Alvefur
- Re: [dane] DANE Client Authentication draft updat… Shumon Huque
- Re: [dane] namespace management, DANE Client Auth… John R Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… Shumon Huque
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] DANE Client Authentication draft updat… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… Wiley, Glen
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… John Levine
- Re: [dane] namespace management, DANE Client Auth… Sandoche Balakrichenan
- Re: [dane] namespace management, DANE Client Auth… Viktor Dukhovni
- Re: [dane] namespace management, DANE Client Auth… Shumon Huque