Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 02 December 2013 23:47 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 287001ADFC4 for <dane@ietfa.amsl.com>; Mon, 2 Dec 2013 15:47:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DFOsDOWhrfgG for <dane@ietfa.amsl.com>; Mon, 2 Dec 2013 15:47:50 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 772231ADFC2 for <dane@ietf.org>; Mon, 2 Dec 2013 15:47:50 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id A67892AB165; Mon, 2 Dec 2013 23:47:47 +0000 (UTC)
Date: Mon, 02 Dec 2013 23:47:47 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131202234747.GQ761@mournblade.imrryr.org>
References: <A06891E1-01E0-40CC-A9A2-171CAA39AB79@kumari.net> <20131202203241.GM761@mournblade.imrryr.org> <201312022305.rB2N5doW027178@new.toad.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201312022305.rB2N5doW027178@new.toad.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2013 23:47:52 -0000
On Mon, Dec 02, 2013 at 03:05:39PM -0800, John Gilmore wrote: > I propose that we reject the draft entirely and stick with numbers. > If we can't agree on the acronyms, can we stop rearranging the deck > chairs? A focus on making "running code" for the current DANE RFC > would produce far more deployment than replacing numbers with words. I never found the numbers to be an obstacle, and my focus is as you suggest implementation. I am looking at (really) adding DANE support to OpenSSL (the experimental code in 1.0.2 is IMHO not satisfactory). There is also an optional DANE interface in GnuTLS, it too is not a production-quality DANE implementation. If any GnuTLS maintainers are on the list, they should get in touch. As for the acronyms, I took the draft introduction at its word, which is to say that for this discussion I assumed that indeed some implementors or server operators who need to generate TLSA records do find the numbers confusing. Perhaps as John suggests numbers are better than misleading acronyms, at least then people will read the RFC, rather than guess incorrectly from the acronym. So in the end acronyms would only be useful if they make operator mistakes less likely: 0 - REQUIRED-CA 1 - REQUIRED-LEAF 2 - TRUSTED-CA 3 - MATCHING-LEAF or perhaps :-) 0 - CA-LOVER 1 - CA-SLAVE 2 - CA-OWNER 3 - CA-HATER -- Viktor.
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… Bry8 Star
- [dane] On the PKIX-TA / PKIX-CA question… [ One w… Warren Kumari
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… James Cloos
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Dickson, Brian
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… John Gilmore
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Warren Kumari
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… John Gilmore
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Mark Andrews
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Jakob Schlyter
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… James Cloos
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Jakob Schlyter
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Stephen Kent
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Stephen Kent
- Re: [dane] DANE, constrains and CT and similar.... Warren Kumari
- [dane] OpenSSL DANE support... Viktor Dukhovni
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Ben Laurie
- Re: [dane] On the PKIX-TA / PKIX-CA question… [ O… Wes Hardaker
- Re: [dane] On the PKIX-TA / PKIX-CA question? [ O… Wes Hardaker