IETF Logo Mail Archive

Re: [keyassure] Bare keys again

Stephen Kent <kent@bbn.com> Mon, 21 March 2011 18:39 UTC

Return-Path: <kent@bbn.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B26023A67B5 for <keyassure@core3.amsl.com>; Mon, 21 Mar 2011 11:39:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.538
X-Spam-Level:
X-Spam-Status: No, score=-102.538 tagged_above=-999 required=5 tests=[AWL=0.062, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W2uO56Jh-w0E for <keyassure@core3.amsl.com>; Mon, 21 Mar 2011 11:39:04 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id EC5453A67AA for <keyassure@ietf.org>; Mon, 21 Mar 2011 11:39:03 -0700 (PDT)
Received: from dhcp89-089-213.bbn.com ([128.89.89.213]:49171) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1Q1k1s-00063B-8n; Mon, 21 Mar 2011 14:40:36 -0400
Mime-Version: 1.0
Message-Id: <p06240802c9ad49916d9c@[128.89.89.213]>
In-Reply-To: <1300669586.2117.12.camel@localhost>
References: <92D68A5E-5CB7-4C80-8D7B-0B8D55D93608@kumari.net> <alpine.LFD.1.10.1103201932370.20162@newtla.xelerance.com> <9D285351-8D73-4C15-BE2C-5DF731C08DCE@vpnc.org> <alpine.LFD.1.10.1103202028110.20162@newtla.xelerance.com> <1300669586.2117.12.camel@localhost>
Date: Mon, 21 Mar 2011 14:33:32 -0400
To: Matt McCutchen <matt@mattmccutchen.net>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: keyassure@ietf.org
Subject: Re: [keyassure] Bare keys again
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2011 18:39:04 -0000

At 9:06 PM -0400 3/20/11, Matt McCutchen wrote:
>On Sun, 2011-03-20 at 20:40 -0400, Paul Wouters wrote:
>>  On Sun, 20 Mar 2011, Paul Hoffman wrote:
>>  > If you want to add bare CA keys, that's fine, but I suspect that 
>>you actually want to add bare end entity keys, and RFC 6066 doesn't 
>>allow that.
>>
>>  That difference is muddy anyway, isn't it? Isn't a self-signed 
>>certificate a CA?
>
>It is not used to sign any certificates (except itself, but that is
>irrelevant because no one ever relies on the self signature), so no.

as per the various 580 cites that Paul H. has put in the most recent version
of the DANE spec, an SS cert is a CA cert, irrespective of whether it is
used to verify sigs on other certs.  The one slightly "muddy" 
situation is when an SS cert is used to convey a trust anchor.  A TA 
is a CA in the usual case, but the cert is just a convenient 
container to convey the TA data, so there are no checks (in 5280) 
that are mandated for this case.

Steve

v2.23.0 | Report a Bug | By Email