IETF Logo Mail Archive

Re: [saag] height of PKI

Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 26 August 2020 04:35 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 393BC3A0C85 for <saag@ietfa.amsl.com>; Tue, 25 Aug 2020 21:35:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ugI7M_WW1s3O for <saag@ietfa.amsl.com>; Tue, 25 Aug 2020 21:35:32 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 303B83A0890 for <saag@ietf.org>; Tue, 25 Aug 2020 21:35:32 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 51A5B2C6FF4; Wed, 26 Aug 2020 00:35:30 -0400 (EDT)
Date: Wed, 26 Aug 2020 00:35:30 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: saag@ietf.org
Message-ID: <20200826043530.GZ37427@straasha.imrryr.org>
Reply-To: saag@ietf.org
References: <20200728191331.GV41010@kduck.mit.edu> <e928e548-f82d-2809-200e-0fc4ac93db14@cs.tcd.ie> <20200728194235.GY41010@kduck.mit.edu> <5ac5c357-0eeb-d321-c743-03817684fe22@sandelman.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5ac5c357-0eeb-d321-c743-03817684fe22@sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/6PQ76Uxrly2VACG0xYi-GfgIwAk>
Subject: Re: [saag] height of PKI
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2020 04:35:33 -0000

On Tue, Aug 25, 2020 at 11:14:24PM -0400, Michael Richardson wrote:

> On 2020-07-28 3:42 p.m., Benjamin Kaduk wrote:
> > Sorry for the clumsy description.  Basically, if you squint hard, you could
> > claim that at least some types of pinning are actually a PKI, just a
> > degenerate PKI.  E.g., in a PKI I have to pin at least one trust anchor as
> > the root of the PKI, and if that pinned trust anchor just happens to also
> > be the certificate directly used in the protocol, it's still a PKI, just a
> > tree of height one.
> 
> I had suggested that a PKI that consisted of ROOT, Intermediate, and EE
> had a height of "three".
> Some disagreed, and said that the EE didn't count, and it was a height 
> of "two"
> Others disagreed: the EE counts, but the root doesn't count, so it's a 
> height of "two"
> 
> So is your case above a height of "one", or a height of "zero"
> 
> If there is a definitive answer, I haven't found it yet.

What's "definitive"?  And which certificate is at depth 0, the root or
the leaf?  These questions have no answer (different X.509 libraries
answer them differently), just be clear about your notation in context.

You could of course go with RFC5280, but its numbering is by no means
universally used.

-- 
    Viktor.

v2.23.0 | Report a Bug | By Email