Re: [keyassure] Objective: Restrictive versus Supplementary Models

Yoav Nir <> Fri, 01 April 2011 07:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0D48B3A69D3 for <>; Fri, 1 Apr 2011 00:21:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.554
X-Spam-Status: No, score=-10.554 tagged_above=-999 required=5 tests=[AWL=0.045, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZOuDKQPyAdta for <>; Fri, 1 Apr 2011 00:21:09 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6B03F3A6B03 for <>; Fri, 1 Apr 2011 00:21:07 -0700 (PDT)
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id p317MfQV018079; Fri, 1 Apr 2011 10:22:41 +0300
X-CheckPoint: {4D958B32-2-1B221DC2-FFFF}
Received: from ([]) by ([]) with mapi; Fri, 1 Apr 2011 10:22:41 +0300
From: Yoav Nir <>
To: Paul Wouters <>
Date: Fri, 1 Apr 2011 10:22:40 +0300
Thread-Topic: [keyassure] Objective: Restrictive versus Supplementary Models
Thread-Index: AcvwPZZSPiOLsiexRWCPor5y2T44Pw==
Message-ID: <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [keyassure] Objective: Restrictive versus Supplementary Models
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Apr 2011 07:21:21 -0000

On Apr 1, 2011, at 10:13 AM, Paul Wouters wrote:

> On Thu, 31 Mar 2011, Yoav Nir wrote:
>> Cert-lock (and CA-lock) are what EKR calls supplementary, while the others are the restrictive. While the sever (and domain owner) can't dictate client policy, they should be able to indicate whether the Certificate (TA or EE) that's in the TLSA record is supposed to be validatable or not. The client (relying party) may have a policy to ignore records that push a non-valid certificate, but if you're going to publish a record with a certificate that you have just issued using openssl on your laptop and expires in 1975, the TLSA record had better reflect that this certificate is just a container for a public key, not something you can chain and validate.
>> So I think the requirements document should describe EKR's use cases, and require that the TLSA record be able to differentiate between records that are appropriate for the two use cases.
> Are you really suggesting some kind of indicator that says "you can ignore the cruft from the cert that is bogus
> that I vouched for via the RRSIG"?

Stated like this, it conveys policy. I just want it to say that this is the cert I'm going to use, and I can't vouch for anything there besides the public key.