Re: [keyassure] I-D Action:draft-ietf-dane-protocol-05.txt
Martin Rex <mrex@sap.com> Thu, 24 February 2011 17:27 UTC
Return-Path: <mrex@sap.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C75EE3A67F5 for <keyassure@core3.amsl.com>; Thu, 24 Feb 2011 09:27:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.232
X-Spam-Level:
X-Spam-Status: No, score=-10.232 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SUrbqpZFxynW for <keyassure@core3.amsl.com>; Thu, 24 Feb 2011 09:27:06 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 7EB903A67F4 for <keyassure@ietf.org>; Thu, 24 Feb 2011 09:27:05 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p1OHRXYY008471 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 24 Feb 2011 18:27:33 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201102241727.p1OHRWQK019306@fs4113.wdf.sap.corp>
To: kent@bbn.com
Date: Thu, 24 Feb 2011 18:27:32 +0100
In-Reply-To: <p06240804c98b640041c2@[210.245.149.101]> from "Stephen Kent" at Feb 23, 11 09:08:50 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: keyassure@ietf.org
Subject: Re: [keyassure] I-D Action:draft-ietf-dane-protocol-05.txt
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2011 17:27:06 -0000
Stephen Kent wrote: > > At 3:05 PM +0100 2/23/11, Martin Rex wrote: > >Jakob Schlyter wrote: > >> > >> On 23 feb 2011, at 12.04, Ben Laurie wrote: > >> > >> > 1 -- A PKIX end-entity certificate in DER encoding > >> > > >> > 2 -- A PKIX certification authority's certificate in DER encoding > >> > >> I agree this is a reasonable clarification. > > > >If anything, I would really prefer something like > > > > 1 -- An end-entity X.509 certificate in ASN.1 DER encoding > > > > 2 -- A certification authority's X.509 certificate in ASN.1 DER encoding > > > > In the IETF, PKIX profiles X.509 for use with IETF security protocols, > so it probably makes sense to stick with the PKIX label here. This is > certainly true for EE certs. For a self-signed cert used to convey > trust anchor material, we may need some additional/different text. But this would imply that EE certs will have to be issued by commercial CAs. I thought that one of the purposes of DANE was to allow server admins to create their own certificate and distribute it through DNS(SEC) TLSA records. Maybe we should distinguish more types: 1 -- An end-entity X.509 certificate in ASN.1 DER encoding 2 -- A certification authority's X.509 certificate in ASN.1 DER encoding 3 -- An end-entity PKIX certificate from the TLS X.509 PKI 4 -- A certification authority's PKIX certificate from the TLS X.509 PKI For (1), the client would match the server certificate with the TLSA record and be done with it, for (3), besides matching the server certificate with the TLSA record, the client is expected to perform a regular certificate path validation. -Martin
- [keyassure] I-D Action:draft-ietf-dane-protocol-0… Internet-Drafts
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Jakob Schlyter
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Ben Laurie
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Jakob Schlyter
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Martin Rex
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Hoffman
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Martin Rex
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Paul Hoffman
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Stephen Kent
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Peter Gutmann
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Martin Rex
- Re: [keyassure] I-D Action:draft-ietf-dane-protoc… Stephen Kent