Re: [dane] I-D Action: draft-ietf-dane-srv-04.txt
mrex@sap.com (Martin Rex) Wed, 12 February 2014 22:55 UTC
Return-Path: <mrex@sap.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED6451A0002 for <dane@ietfa.amsl.com>; Wed, 12 Feb 2014 14:55:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dEnFdr0iU2MB for <dane@ietfa.amsl.com>; Wed, 12 Feb 2014 14:54:59 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id 73E091A0024 for <dane@ietf.org>; Wed, 12 Feb 2014 14:54:58 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id s1CMsujN006489 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <dane@ietf.org>; Wed, 12 Feb 2014 23:54:56 +0100 (MET)
In-Reply-To: <20140212195413.GG278@mournblade.imrryr.org>
To: dane@ietf.org
Date: Wed, 12 Feb 2014 23:54:56 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140212225456.461B51AC03@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Subject: Re: [dane] I-D Action: draft-ietf-dane-srv-04.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Feb 2014 22:55:05 -0000
Viktor Dukhovni wrote: > Matt Miller wrote: >> >>> DANE-EE(3) CU records need to have meaningful semantics for the >>> publisher. For example for a publisher to use the same >>> certificate for many SRV hosts or without worrying about using a >>> matching name, the use of non-use of name checks must be specified >>> precisely. >>> >>> Therefore I would suggest that the "MAY be ignored" in the second >>> paragraph of section 5, should be changed to "MUST be ignored". >>> Otherwise, the published TLSA records have unknown semantics. >> >> Thank you for the feedback, Viktor. These comments make sense to me. >> We'll try to get an update out before the cutoff to address them. > > Thanks. You could mention that both name checks and key usage are > effectively handled by the TLSA record for DANE-EE(3). I'm sorry, but this simply isn't true today, I do not believe that this is (nor should be) the intention of DANE, and I'm strongly opposed to changing that part of the implementations. DANE it self is about an alternative means to establish (a chain of) trust to a peer entity, and the usage type 3 only overrides the server endpoint identification that was originally described in rfc2818 section 3.1 http://tools.ietf.org/html/rfc2818#section-3 and is described in a more elaborate fashion in rfc6125 http://tools.ietf.org/html/rfc6125 DANE does NOT invalidate the keyUsage checks and requirements that are normally part of TLS itself and described here: http://tools.ietf.org/html/rfc5246#page-56 There are a number of TLS protocol stacks that will check the KeyUsage of X.509 certificates that are conveyed through TLS certificate handshake messages, independent of how the application caller decides to perform server endpoint identification and how the application caller determines its trust. -Martin
- Re: [dane] I-D Action: draft-ietf-dane-srv-04.txt Matt Miller
- [dane] I-D Action: draft-ietf-dane-srv-04.txt internet-drafts
- Re: [dane] I-D Action: draft-ietf-dane-srv-04.txt Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-srv-04.txt Matt Miller
- Re: [dane] I-D Action: draft-ietf-dane-srv-04.txt Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-srv-04.txt Olle E. Johansson
- Re: [dane] I-D Action: draft-ietf-dane-srv-04.txt Matt Miller
- Re: [dane] I-D Action: draft-ietf-dane-srv-04.txt Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-srv-04.txt Martin Rex
- Re: [dane] I-D Action: draft-ietf-dane-srv-04.txt Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-srv-04.txt Martin Rex
- Re: [dane] I-D Action: draft-ietf-dane-srv-04.txt Viktor Dukhovni
- Re: [dane] I-D Action: draft-ietf-dane-srv-04.txt Martin Rex
- Re: [dane] I-D Action: draft-ietf-dane-srv-04.txt Viktor Dukhovni
- [dane] DANE-TA(3) and DANE-TA(2) certificate cont… Viktor Dukhovni