IETF Logo Mail Archive

Re: [keyassure] I-D Action:draft-ietf-dane-protocol-05.txt

Martin Rex <mrex@sap.com> Wed, 23 February 2011 16:28 UTC

Return-Path: <mrex@sap.com>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4363D3A6933 for <keyassure@core3.amsl.com>; Wed, 23 Feb 2011 08:28:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.231
X-Spam-Level:
X-Spam-Status: No, score=-10.231 tagged_above=-999 required=5 tests=[AWL=0.018, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W8j3VWVLuJrP for <keyassure@core3.amsl.com>; Wed, 23 Feb 2011 08:28:38 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id DCCB33A6904 for <keyassure@ietf.org>; Wed, 23 Feb 2011 08:28:37 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p1NGTNmm028403 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 23 Feb 2011 17:29:23 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201102231629.p1NGTN76023860@fs4113.wdf.sap.corp>
To: paul.hoffman@vpnc.org
Date: Wed, 23 Feb 2011 17:29:23 +0100
In-Reply-To: <4D65303D.5040704@vpnc.org> from "Paul Hoffman" at Feb 23, 11 08:05:17 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: keyassure@ietf.org
Subject: Re: [keyassure] I-D Action:draft-ietf-dane-protocol-05.txt
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Feb 2011 16:28:40 -0000

Paul Hoffman wrote:
> 
> On 2/23/11 6:05 AM, Martin Rex wrote:
> > Jakob Schlyter wrote:
> >>
> >> On 23 feb 2011, at 12.04, Ben Laurie wrote:
> >>
> >>>          1 -- A PKIX end-entity certificate in DER encoding
> >>>
> >>>          2 -- A PKIX certification authority's certificate in DER encoding
> >>
> >> I agree this is a reasonable clarification.
> >
> > If anything, I would really prefer something like
> >
> >     1 -- An end-entity X.509 certificate in ASN.1 DER encoding
> >
> >     2 -- A certification authority's X.509 certificate in ASN.1 DER encoding
> 
> X.509 is a standard that does not contain all of the extensions created 
> by the PKIX Working Group in the IETF. Using "PKIX" makes it clear that 
> we are talking about certificates with the IETF extensions, not 
> certificates missing them.

"PKIX certificates" looks somewhat undefined to me.

For me, it suggests the rules defined in rfc-5280 for X.509v3 End-entity
and CA path certificates only, but excludes both TrustAnchors and
self-signed X.509v1 certs for use as public key containers.

-Martin

v2.23.0 | Report a Bug | By Email