Re: [keyassure] Objective: Restrictive versus Supplementary Models

Michael Richardson <> Thu, 31 March 2011 12:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A359E3A6B13 for <>; Thu, 31 Mar 2011 05:35:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.49
X-Spam-Status: No, score=-1.49 tagged_above=-999 required=5 tests=[AWL=0.464, BAYES_00=-2.599, HOST_MISMATCH_NET=0.311, IP_NOT_FRIENDLY=0.334]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ohtRfzAoHApR for <>; Thu, 31 Mar 2011 05:35:40 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B9AA73A6767 for <>; Thu, 31 Mar 2011 05:35:40 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPS id 2D81B98039; Thu, 31 Mar 2011 08:37:20 -0400 (EDT)
Received: from ( []) by (Postfix) with ESMTP id 80AD998B17; Thu, 31 Mar 2011 14:38:16 +0200 (CEST)
From: Michael Richardson <>
To: "" <>
In-Reply-To: <>
References: <> <> <> <> <> <> <>
X-Mailer: MH-E 8.1; nmh 1.1; XEmacs 21.4 (patch 22)
Date: Thu, 31 Mar 2011 14:38:16 +0200
Message-ID: <>
Subject: Re: [keyassure] Objective: Restrictive versus Supplementary Models
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Mar 2011 12:35:41 -0000

>>>>> "Yoav" == Yoav Nir <> writes:
    Yoav> So it's really down to 4 cases:
    Yoav> - CA-lock (I only use Verisign)
    Yoav> - Cert-lock (I only use this cert)
    Yoav> - This CA (This is the CA cert that issues my certificate, and
    Yoav> it may not be in your TAS) 

    Yoav> - This Cert (this is the cert I'll be using, and I'm not
    Yoav> promising that you can validate it) 

    Yoav> While I see some value in cert-lock, I don't see much value in
    Yoav> CA-lock. It would solve Comodogate if I was a customer of
    Yoav> another CA, but not if I was a customer of Comodo. 

Presumably, if you were a customer, they would never issue two certs for
the same DN to different customers.

    Yoav> Cert-lock (and CA-lock) are what EKR calls supplementary,
    Yoav> while the others are the restrictive. While the sever (and
    Yoav> domain owner) can't dictate client policy, they should be able
    Yoav> to indicate whether the Certificate (TA or EE) that's in the
    Yoav> TLSA record is supposed to be validatable or not. The client
    Yoav> (relying party) may have a policy to ignore records that push
    Yoav> a non-valid certificate, but if you're going to publish a
    Yoav> record with a certificate that you have just issued using
    Yoav> openssl on your laptop and expires in 1975, the TLSA record
    Yoav> had better reflect that this certificate is just a container
    Yoav> for a public key, not something you can chain and validate. 

So, you are arguing that the protocol must signal the intent.

]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] |device driver[
   Kyoto Plus: watch the video <>
	               then sign the petition.