Re: [keyassure] I-D Action:draft-ietf-dane-protocol-04.txt
Ben Laurie <benl@google.com> Fri, 25 February 2011 15:11 UTC
Return-Path: <benl@google.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 40BF73A69C3 for <keyassure@core3.amsl.com>; Fri, 25 Feb 2011 07:11:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OVPNAjHLbnFl for <keyassure@core3.amsl.com>; Fri, 25 Feb 2011 07:11:42 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by core3.amsl.com (Postfix) with ESMTP id 1521E3A69E9 for <keyassure@ietf.org>; Fri, 25 Feb 2011 07:11:41 -0800 (PST)
Received: from wpaz33.hot.corp.google.com (wpaz33.hot.corp.google.com [172.24.198.97]) by smtp-out.google.com with ESMTP id p1PFCXdf025293 for <keyassure@ietf.org>; Fri, 25 Feb 2011 07:12:33 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1298646754; bh=KskDWELEAYoKWVsPB1AxetTR+Ls=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=w3xQ3YHfZ1AMdxGzhu2lKEai2YP7HQM8WFovbsj9EBhH+8uJa3AJfh065fn3hHa4n EgTloO02ui3OS7KLvp8PQ==
Received: from vxd7 (vxd7.prod.google.com [10.241.33.199]) by wpaz33.hot.corp.google.com with ESMTP id p1PFCSNa019460 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <keyassure@ietf.org>; Fri, 25 Feb 2011 07:12:32 -0800
Received: by vxd7 with SMTP id 7so1431380vxd.6 for <keyassure@ietf.org>; Fri, 25 Feb 2011 07:12:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=8AmGnupDoVRX3bL6WwACJntEpIyBxWhKjZLp2OKhzPo=; b=rXmOUvTmAOmyHIffP/U94rawGhEz3VAftxn6B97cjokYpWJHKPL3bDqnsRyy7thd+d M2bSJ/rbzDMHAGbxdxHw==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=kWKbp5g9VlCPErquhgDgUzgkS62W5FISBEK5lHsKcd9ISs8sMezccmao7OpjxVqkP1 hF2TDKNX3r5ts5xN/fZQ==
MIME-Version: 1.0
Received: by 10.52.168.229 with SMTP id zz5mr4156592vdb.28.1298646751366; Fri, 25 Feb 2011 07:12:31 -0800 (PST)
Received: by 10.220.88.137 with HTTP; Fri, 25 Feb 2011 07:12:31 -0800 (PST)
In-Reply-To: <p06240800c9888ffce06c@59.188.192.152>
References: <20110210224502.31025.53023.idtracker@localhost> <20110220042133.GB7481@odin.mars.sol> <4D617535.9040404@vpnc.org> <p06240804c988116219c2@10.242.10.246> <AANLkTimGm7Xqf-tK_F2T3nMoPhUE2qL5PQyPV+h80_Lz@mail.gmail.com> <p06240800c9888ffce06c@59.188.192.152>
Date: Fri, 25 Feb 2011 15:12:31 +0000
Message-ID: <AANLkTinnOr2YFKiTEvGMESQMEdcW-i-mQEed4yXRHg_N@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: keyassure@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [keyassure] I-D Action:draft-ietf-dane-protocol-04.txt
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Feb 2011 15:11:43 -0000
On 22 February 2011 01:01, Stephen Kent <kent@bbn.com> wrote: >> ... >> > >>> >>> I agree that the info in the record could be a TA, and not a CA, but not >>> if >>> the format of the data is an X.509 cert. >> >> You said a minute ago: "if you issue an X.509 cert under which other >> certs will be validated, >> you are a CA." > > yep. > >> This sounds correct to me. However, mostly what's being done here is >> _not_ the issuing of X.509 certs under which other certs will be >> validated (though it is an option), so most times the zone operator is >> not a CA. > > I though one option was to place a cert in the DNS and use it as the > basis for validating a cert chain that terminates at the EE cert for the > web site. If so, then that cert is used to validate other certs and > it would generally be viewed as a CA cert. I admit that some ambiguity > arises when the cert is viewed as a TA. The ambiguity arises because In > general, > if you issue a cert, you are a CA Eh? If I make a self-signed cert, am I a CA? If I publish an EE cert issued by someone else, am I a CA? Presumably at least one of these is a "no", so the zone operator is not necessarily a CA. This was my point. >, but when a cert used to convey TA data, > an RP may elect to not check all of the data. > > We do have TA format standards that make it clear what data is to be checked > and it might be preferable to use them, vs. a self-signed cert (although the > later option might minimize code reuse). > >> In any case it does seem worth making clear when we are talking about >> a PKIX CA vs. any other kind. > > It's really not a "PKIX CA" per se; it's an X.509 CA. > >> > Also, will not performing PoP be a >>> >>> good outcome? >> >> What would be the point of proving to myself that I own a key? > > It would not be useful to you, but rather to someone who puts it in a > DNS record, if that someone does so on your behalf. Otherwise that entity > does not know if the public key really is yours. But, I don't know that > this results in a vulnerability for the DANE context. Ah. If I am asking someone else to update DNS for me, then indeed a PoP might be appropriate. But surely that's an issue for whatever protocol I am using for speaking with my DNS provider? > > Steve >
- [keyassure] I-D Action:draft-ietf-dane-protocol-0… Internet-Drafts
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Scott Schmit
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Hoffman
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Stephen Kent
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Stephen Kent
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Ben Laurie
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Hoffman
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Stephen Kent
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Ben Laurie
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Stephen Kent