IETF Logo Mail Archive

Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym

"Jim Schaad" <ietf@augustcellars.com> Mon, 07 October 2013 15:21 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 016CC21E80A1 for <dane@ietfa.amsl.com>; Mon, 7 Oct 2013 08:21:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.539
X-Spam-Level:
X-Spam-Status: No, score=-3.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QkkLMzzGDt70 for <dane@ietfa.amsl.com>; Mon, 7 Oct 2013 08:21:26 -0700 (PDT)
Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) by ietfa.amsl.com (Postfix) with ESMTP id 4150A11E8100 for <dane@ietf.org>; Mon, 7 Oct 2013 08:21:26 -0700 (PDT)
Received: from Philemon (winery.augustcellars.com [206.212.239.129]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id EC2F238F22 for <dane@ietf.org>; Mon, 7 Oct 2013 08:21:25 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: dane@ietf.org
References: <20130919201216.14866.61161.idtracker@ietfa.amsl.com> <EACEEB05-2023-4F76-A6FE-A9B2FDC0AA59@kumari.net> <024c01cec2dc$72b596e0$5820c4a0$@augustcellars.com> <20131006224742.GA483@mournblade.imrryr.org>
In-Reply-To: <20131006224742.GA483@mournblade.imrryr.org>
Date: Mon, 07 Oct 2013 08:20:10 -0700
Message-ID: <02e201cec370$b6d9e5d0$248db170$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJ39s23NI8MTM4J4gsDf6CIX3S72AH+2eVVAfb+EFAB9eBQg5hnlTgQ
Content-Language: en-us
Subject: Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2013 15:21:31 -0000

So, while I have sure that I have the details partly wrong, consider the
case of people doing a PGP certificate set here.

They could/would use DANE-EE in the event that the key ring was self-signed.
This is the key to be matched and trusted.

However they would not use DANE-TA in the event that a key ring that was
self-signed was to be used to validate a second key wrong.  In this case
there is a root of trust (i.e. a TA) and then a second level signed PGP key
which is used in the TLS session to do the appropriate things.  This allows
for the TLS key to be rotated more frequently.  But there is no PKIX
validation in this case and thus the use of DANE-TA, which seems logical, is
wrong.

Jim


> -----Original Message-----
> From: dane-bounces@ietf.org [mailto:dane-bounces@ietf.org] On Behalf Of
> Viktor Dukhovni
> Sent: Sunday, October 06, 2013 3:48 PM
> To: dane@ietf.org
> Subject: Re: [dane] Start of WGLC for draft-ietf-dane-registry-acronym
> 
> On Sun, Oct 06, 2013 at 02:38:50PM -0700, Jim Schaad wrote:
> 
> > 5.  As I have stated before, I am not a fan of using DANE-TA for value
2.
> > To me this loses the fact that there will be PKIX processing that
> > occurs with this section.  I would strongly recommend that this become
> PKIX-TA.
> 
> I think that would confuse almost everyone.  The "PKI" part of PKIX
carries
> inappropriate in this context mental baggage.
> 
> Yes, any trust-anchor implies validating certificate chains, performing
name
> on the leaf, ...  Thus the mechanics of validating usage 2 associations
are
> very similar to the mechanics of doing the same with an a-priori
configured
> public CA trust anchor.  Alas, when one hears PKIX, the associated mental
> baggage includes the full panoply of public CAs and not does evoke the
> decentralized DANE model.
> 
> Thus "TA" is IMHO already sufficient to imply all the relevant technical
> features, without evoking unwanted mental associations.
> 
> > The use of PKIX-TA for the value of 0 never made any sense since there
> > is not trust anchor decision that is associated with the certificate
> > in this record.  The only two records currently that have a trust
> > anchor, as oppose to a constraint, component are 2 and 3.
> 
> Here, I've already agreed with you upthread, I think PKIX-CA is better
here
> (Paul Hoffman disagreed, but frankly I am not sure how his response
applies
> to the question at hand).
> 
> --
> 	Viktor.
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane

v2.37.1 | Report a Bug | By Email | System Status