Re: [keyassure] Objective: Restrictive versus Supplementary Models

Martin Rex <> Thu, 31 March 2011 13:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E16613A6A1B for <>; Thu, 31 Mar 2011 06:07:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.221
X-Spam-Status: No, score=-10.221 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5YGdsrfk976e for <>; Thu, 31 Mar 2011 06:07:59 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D7E0B3A67E9 for <>; Thu, 31 Mar 2011 06:07:58 -0700 (PDT)
Received: from by (26) with ESMTP id p2VD9UOl013574 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 31 Mar 2011 15:09:30 +0200 (MEST)
From: Martin Rex <>
Message-Id: <>
To: (Yoav Nir)
Date: Thu, 31 Mar 2011 15:09:30 +0200 (MEST)
In-Reply-To: <> from "Yoav Nir" at Mar 31, 11 03:01:19 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SAP: out
Subject: Re: [keyassure] Objective: Restrictive versus Supplementary Models
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Mar 2011 13:08:00 -0000

Yoav Nir wrote:
> On Mar 31, 2011, at 2:38 PM, Michael Richardson wrote:
> > 
> >    Yoav> Cert-lock (and CA-lock) are what EKR calls supplementary,
> >    Yoav> while the others are the restrictive. While the sever (and
> >    Yoav> domain owner) can't dictate client policy, they should be able
> >    Yoav> to indicate whether the Certificate (TA or EE) that's in the
> >    Yoav> TLSA record is supposed to be validatable or not. The client
> >    Yoav> (relying party) may have a policy to ignore records that push
> >    Yoav> a non-valid certificate, but if you're going to publish a
> >    Yoav> record with a certificate that you have just issued using
> >    Yoav> openssl on your laptop and expires in 1975, the TLSA record
> >    Yoav> had better reflect that this certificate is just a container
> >    Yoav> for a public key, not something you can chain and validate. 
> > 
> > So, you are arguing that the protocol must signal the intent.
> It's not strictly speaking "intent". It's more of an attribute.
> Either "this certificate of mine, you can use your regular validation
> techniques" or "this certificate of mine, just make sure you get this one."

I also think that leaving it up to the client to make assumptions
about what type of TLS Server cert validation scheme should be used
is likely going to result in a lot of bad decisions among the

If the TLSA record includes the information on the intended validation
scheme for this information, then there is going to be more consistency
among the implementations.

When a particular HTML page renders without apparent problems in
one particular web browser, this is no proof that the page is correctly
formed and can be expected to render without problems in other
browsers as well.