Re: [keyassure] Bare keys again
Stephen Kent <kent@bbn.com> Mon, 21 March 2011 18:39 UTC
Return-Path: <kent@bbn.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B26023A67B5 for <keyassure@core3.amsl.com>; Mon, 21 Mar 2011 11:39:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.538
X-Spam-Level:
X-Spam-Status: No, score=-102.538 tagged_above=-999 required=5 tests=[AWL=0.062, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W2uO56Jh-w0E for <keyassure@core3.amsl.com>; Mon, 21 Mar 2011 11:39:04 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id EC5453A67AA for <keyassure@ietf.org>; Mon, 21 Mar 2011 11:39:03 -0700 (PDT)
Received: from dhcp89-089-213.bbn.com ([128.89.89.213]:49171) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1Q1k1s-00063B-8n; Mon, 21 Mar 2011 14:40:36 -0400
Mime-Version: 1.0
Message-Id: <p06240802c9ad49916d9c@[128.89.89.213]>
In-Reply-To: <1300669586.2117.12.camel@localhost>
References: <92D68A5E-5CB7-4C80-8D7B-0B8D55D93608@kumari.net> <alpine.LFD.1.10.1103201932370.20162@newtla.xelerance.com> <9D285351-8D73-4C15-BE2C-5DF731C08DCE@vpnc.org> <alpine.LFD.1.10.1103202028110.20162@newtla.xelerance.com> <1300669586.2117.12.camel@localhost>
Date: Mon, 21 Mar 2011 14:33:32 -0400
To: Matt McCutchen <matt@mattmccutchen.net>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: keyassure@ietf.org
Subject: Re: [keyassure] Bare keys again
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2011 18:39:04 -0000
At 9:06 PM -0400 3/20/11, Matt McCutchen wrote: >On Sun, 2011-03-20 at 20:40 -0400, Paul Wouters wrote: >> On Sun, 20 Mar 2011, Paul Hoffman wrote: >> > If you want to add bare CA keys, that's fine, but I suspect that >>you actually want to add bare end entity keys, and RFC 6066 doesn't >>allow that. >> >> That difference is muddy anyway, isn't it? Isn't a self-signed >>certificate a CA? > >It is not used to sign any certificates (except itself, but that is >irrelevant because no one ever relies on the self signature), so no. as per the various 580 cites that Paul H. has put in the most recent version of the DANE spec, an SS cert is a CA cert, irrespective of whether it is used to verify sigs on other certs. The one slightly "muddy" situation is when an SS cert is used to convey a trust anchor. A TA is a CA in the usual case, but the cert is just a convenient container to convey the TA data, so there are no checks (in 5280) that are mandated for this case. Steve
- Re: [keyassure] Issues that no longer issues? Ondřej Surý
- [keyassure] Issues that no longer issues? Warren Kumari
- Re: [keyassure] Issues that no longer issues? Paul Wouters
- [keyassure] Bare keys again Paul Hoffman
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Paul Hoffman
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Eric Rescorla
- Re: [keyassure] Bare keys again Martin Rex
- Re: [keyassure] Bare keys again Stephen Kent
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Eric Rescorla
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Eric Rescorla
- Re: [keyassure] Bare keys again Phillip Hallam-Baker
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Martin Rex
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Martin Rex
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Jeff Schmidt
- Re: [keyassure] Bare keys again Paul Hoffman
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Douglas Otis
- Re: [keyassure] Bare keys again Douglas Otis
- Re: [keyassure] Bare keys again Henry Story
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Ben Laurie
- Re: [keyassure] Bare keys again Paul Hoffman
- Re: [keyassure] Bare keys again Matt McCutchen
- Re: [keyassure] Bare keys again Paul Wouters
- Re: [keyassure] Bare keys again Matt McCutchen