IETF Logo Mail Archive

Re: [keyassure] I-D Action:draft-ietf-dane-protocol-04.txt

Stephen Kent <kent@bbn.com> Mon, 28 February 2011 16:10 UTC

Return-Path: <kent@bbn.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA81B3A6A96 for <keyassure@core3.amsl.com>; Mon, 28 Feb 2011 08:10:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.353
X-Spam-Level:
X-Spam-Status: No, score=-102.353 tagged_above=-999 required=5 tests=[AWL=0.246, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nXGsrDLa9H74 for <keyassure@core3.amsl.com>; Mon, 28 Feb 2011 08:10:15 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by core3.amsl.com (Postfix) with ESMTP id 16DF03A69FE for <keyassure@ietf.org>; Mon, 28 Feb 2011 08:10:15 -0800 (PST)
Received: from dhcp89-089-216.bbn.com ([128.89.89.216]:49154) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1Pu5gp-000Kzu-0l; Mon, 28 Feb 2011 11:11:15 -0500
Mime-Version: 1.0
Message-Id: <p06240804c9916b6c0483@[128.89.89.216]>
In-Reply-To: <AANLkTinnOr2YFKiTEvGMESQMEdcW-i-mQEed4yXRHg_N@mail.gmail.com>
References: <20110210224502.31025.53023.idtracker@localhost> <20110220042133.GB7481@odin.mars.sol> <4D617535.9040404@vpnc.org> <p06240804c988116219c2@10.242.10.246> <AANLkTimGm7Xqf-tK_F2T3nMoPhUE2qL5PQyPV+h80_Lz@mail.gmail.com> <p06240800c9888ffce06c@59.188.192.152> <AANLkTinnOr2YFKiTEvGMESQMEdcW-i-mQEed4yXRHg_N@mail.gmail.com>
Date: Mon, 28 Feb 2011 10:12:01 -0500
To: Ben Laurie <benl@google.com>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: keyassure@ietf.org
Subject: Re: [keyassure] I-D Action:draft-ietf-dane-protocol-04.txt
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Feb 2011 16:10:16 -0000

At 3:12 PM +0000 2/25/11, Ben Laurie wrote:
>...
>  > if you issue a cert, you are a CA
>
>Eh? If I make a self-signed cert, am I a CA?

yes.

>If I publish an EE cert issued by someone else, am I a CA?

no. publishing is not the same as issuing. any 3rd party can publish any cert.

>Presumably at least one of these is a "no", so the zone operator is
>not necessarily a CA. This was my point.

OK.

>...
>  > It would not be useful to you, but rather to someone who puts it in a
>>  DNS record, if that someone does so on your behalf. Otherwise that entity
>>  does not know if the public key really is yours.  But, I don't know that
>>  this results in a vulnerability for the DANE context.
>
>Ah. If I am asking someone else to update DNS for me, then indeed a
>PoP might be appropriate. But surely that's an issue for whatever
>protocol I am using for speaking with my DNS provider?

seems reasonable to me.

Steve

v2.23.0 | Report a Bug | By Email