Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]

Viktor Dukhovni <viktor1dane@dukhovni.org> Mon, 02 December 2013 23:47 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 287001ADFC4 for <dane@ietfa.amsl.com>; Mon, 2 Dec 2013 15:47:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DFOsDOWhrfgG for <dane@ietfa.amsl.com>; Mon, 2 Dec 2013 15:47:50 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 772231ADFC2 for <dane@ietf.org>; Mon, 2 Dec 2013 15:47:50 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id A67892AB165; Mon, 2 Dec 2013 23:47:47 +0000 (UTC)
Date: Mon, 2 Dec 2013 23:47:47 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20131202234747.GQ761@mournblade.imrryr.org>
References: <A06891E1-01E0-40CC-A9A2-171CAA39AB79@kumari.net> <20131202203241.GM761@mournblade.imrryr.org> <201312022305.rB2N5doW027178@new.toad.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201312022305.rB2N5doW027178@new.toad.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] On the PKIX-TA / PKIX-CA question? [ One week WGLC ]
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2013 23:47:52 -0000

On Mon, Dec 02, 2013 at 03:05:39PM -0800, John Gilmore wrote:

> I propose that we reject the draft entirely and stick with numbers.
> If we can't agree on the acronyms, can we stop rearranging the deck
> chairs?  A focus on making "running code" for the current DANE RFC
> would produce far more deployment than replacing numbers with words.

I never found the numbers to be an obstacle, and my focus is as
you suggest implementation.  I am looking at (really) adding DANE
support to OpenSSL (the experimental code in 1.0.2 is IMHO not
satisfactory).

There is also an optional DANE interface in GnuTLS, it too is not
a production-quality DANE implementation.  If any GnuTLS maintainers
are on the list, they should get in touch.

As for the acronyms, I took the draft introduction at its word,
which is to say that for this discussion I assumed that indeed some
implementors or server operators who need to generate TLSA records
do find the numbers confusing.  Perhaps as John suggests numbers
are better than misleading acronyms, at least then people will read
the RFC, rather than guess incorrectly from the acronym.

So in the end acronyms would only be useful if they make operator
mistakes less likely:

	0 - REQUIRED-CA
	1 - REQUIRED-LEAF
	2 - TRUSTED-CA
	3 - MATCHING-LEAF

or perhaps :-)

	0 - CA-LOVER
	1 - CA-SLAVE
	2 - CA-OWNER
	3 - CA-HATER

-- 
	Viktor.