IETF Logo Mail Archive

Re: [keyassure] I-D Action:draft-ietf-dane-protocol-05.txt

Stephen Kent <kent@bbn.com> Mon, 28 February 2011 18:53 UTC

Return-Path: <kent@bbn.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B7E913A6A1D for <keyassure@core3.amsl.com>; Mon, 28 Feb 2011 10:53:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.423
X-Spam-Level:
X-Spam-Status: No, score=-102.423 tagged_above=-999 required=5 tests=[AWL=0.176, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5KzSaZ0mdB4O for <keyassure@core3.amsl.com>; Mon, 28 Feb 2011 10:53:23 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 69C113A6A31 for <keyassure@ietf.org>; Mon, 28 Feb 2011 10:53:23 -0800 (PST)
Received: from dhcp89-089-216.bbn.com ([128.89.89.216]:49168) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1Pu8Eg-000GNy-8Q; Mon, 28 Feb 2011 13:54:22 -0500
Mime-Version: 1.0
Message-Id: <p06240801c99168213f19@[192.168.1.10]>
In-Reply-To: <201102241727.p1OHRWQK019306@fs4113.wdf.sap.corp>
References: <201102241727.p1OHRWQK019306@fs4113.wdf.sap.corp>
Date: Mon, 28 Feb 2011 13:40:46 -0500
To: mrex@sap.com
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: keyassure@ietf.org
Subject: Re: [keyassure] I-D Action:draft-ietf-dane-protocol-05.txt
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Feb 2011 18:53:26 -0000

At 6:27 PM +0100 2/24/11, Martin Rex wrote:
>...
>  > In the IETF, PKIX profiles X.509 for use with IETF security protocols,
>>  so it probably makes sense to stick with the PKIX label here. This is
>>  certainly true for EE certs. For a self-signed cert used to convey
>>  trust anchor material, we may need some additional/different text.
>
>
>But this would imply that EE certs will have to be issued by commercial CAs.

no. anyone can be a CA.

>I thought that one of the purposes of DANE was to allow server admins
>to create their own certificate and distribute it through DNS(SEC) TLSA
>records.

see comment above.

>Maybe we should distinguish more types:
>
>    1 -- An end-entity X.509 certificate in ASN.1 DER encoding
>
>    2 -- A certification authority's X.509 certificate in ASN.1 DER encoding
>
>    3 -- An end-entity PKIX certificate from the TLS X.509 PKI
>
>    4 -- A certification authority's PKIX certificate from the TLS X.509 PKI
>
>For (1), the client would match the server certificate with the TLSA
>record and be done with it, for (3), besides matching the server certificate
>with the TLSA record, the client is expected to perform a regular
>certificate path validation.

as others have pointed out, X.509 vs. PKIX is not generally a 
meaningful distinction in this context, so the wording above is 
confusing, at best.

I plan to work with Paul to generate appropriate text, to match
PKIX standards, while preserving the intent of the DANE docs.

Steve

v2.23.0 | Report a Bug | By Email