IETF Logo Mail Archive

Re: [keyassure] I-D Action:draft-ietf-dane-protocol-05.txt

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 23 February 2011 16:43 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 289FC3A6A14 for <keyassure@core3.amsl.com>; Wed, 23 Feb 2011 08:43:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.431
X-Spam-Level:
X-Spam-Status: No, score=-101.431 tagged_above=-999 required=5 tests=[AWL=0.615, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V1N4a7sqKZsE for <keyassure@core3.amsl.com>; Wed, 23 Feb 2011 08:43:40 -0800 (PST)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id 6B4E03A690A for <keyassure@ietf.org>; Wed, 23 Feb 2011 08:43:40 -0800 (PST)
Received: from MacBook-08.local (75-101-30-90.dsl.dynamic.sonic.net [75.101.30.90]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p1NGiRxg013760 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for <keyassure@ietf.org>; Wed, 23 Feb 2011 09:44:27 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Message-ID: <4D65396C.901@vpnc.org>
Date: Wed, 23 Feb 2011 08:44:28 -0800
From: Paul Hoffman <paul.hoffman@vpnc.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: keyassure@ietf.org
References: <201102231629.p1NGTN76023860@fs4113.wdf.sap.corp>
In-Reply-To: <201102231629.p1NGTN76023860@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [keyassure] I-D Action:draft-ietf-dane-protocol-05.txt
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Feb 2011 16:43:41 -0000

On 2/23/11 8:29 AM, Martin Rex wrote:
> "PKIX certificates" looks somewhat undefined to me.

Would "PKIX [RFC5280] certificates" define it better?

> For me, it suggests the rules defined in rfc-5280 for X.509v3 End-entity
> and CA path certificates only, but excludes both TrustAnchors and
> self-signed X.509v1 certs for use as public key containers.

Why do you feel that the latter two are excluded? I admit that I may be 
missing something, but I don't see anything in 5280 or in TLS that 
prohibits either. We might need to add text in our document explicitly 
calling them out as OK, but not much more, do we?

v2.23.0 | Report a Bug | By Email