IETF Logo Mail Archive

Re: [keyassure] I-D Action:draft-ietf-dane-protocol-05.txt

Martin Rex <mrex@sap.com> Thu, 24 February 2011 17:27 UTC

Return-Path: <mrex@sap.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C75EE3A67F5 for <keyassure@core3.amsl.com>; Thu, 24 Feb 2011 09:27:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.232
X-Spam-Level:
X-Spam-Status: No, score=-10.232 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SUrbqpZFxynW for <keyassure@core3.amsl.com>; Thu, 24 Feb 2011 09:27:06 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 7EB903A67F4 for <keyassure@ietf.org>; Thu, 24 Feb 2011 09:27:05 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p1OHRXYY008471 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 24 Feb 2011 18:27:33 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201102241727.p1OHRWQK019306@fs4113.wdf.sap.corp>
To: kent@bbn.com
Date: Thu, 24 Feb 2011 18:27:32 +0100
In-Reply-To: <p06240804c98b640041c2@[210.245.149.101]> from "Stephen Kent" at Feb 23, 11 09:08:50 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: keyassure@ietf.org
Subject: Re: [keyassure] I-D Action:draft-ietf-dane-protocol-05.txt
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2011 17:27:06 -0000

Stephen Kent wrote:
> 
> At 3:05 PM +0100 2/23/11, Martin Rex wrote:
> >Jakob Schlyter wrote:
> >>
> >>  On 23 feb 2011, at 12.04, Ben Laurie wrote:
> >>
> >>  >         1 -- A PKIX end-entity certificate in DER encoding
> >>  >
> >>  >         2 -- A PKIX certification authority's certificate in DER encoding
> >>
> >>  I agree this is a reasonable clarification.
> >
> >If anything, I would really prefer something like
> >
> >    1 -- An end-entity X.509 certificate in ASN.1 DER encoding
> >
> >    2 -- A certification authority's X.509 certificate in ASN.1 DER encoding
> >
> 
> In the IETF, PKIX profiles X.509 for use with IETF security protocols,
> so it probably makes sense to stick with the PKIX label here. This is 
> certainly true for EE certs. For a self-signed cert used to convey 
> trust anchor material, we may need some additional/different text.


But this would imply that EE certs will have to be issued by commercial CAs.

I thought that one of the purposes of DANE was to allow server admins
to create their own certificate and distribute it through DNS(SEC) TLSA
records.

Maybe we should distinguish more types:

   1 -- An end-entity X.509 certificate in ASN.1 DER encoding

   2 -- A certification authority's X.509 certificate in ASN.1 DER encoding

   3 -- An end-entity PKIX certificate from the TLS X.509 PKI

   4 -- A certification authority's PKIX certificate from the TLS X.509 PKI

For (1), the client would match the server certificate with the TLSA
record and be done with it, for (3), besides matching the server certificate
with the TLSA record, the client is expected to perform a regular
certificate path validation.


-Martin

v2.23.0 | Report a Bug | By Email