Re: [saag] height of PKI
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 26 August 2020 04:35 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 393BC3A0C85 for <saag@ietfa.amsl.com>; Tue, 25 Aug 2020 21:35:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ugI7M_WW1s3O for <saag@ietfa.amsl.com>; Tue, 25 Aug 2020 21:35:32 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 303B83A0890 for <saag@ietf.org>; Tue, 25 Aug 2020 21:35:32 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 51A5B2C6FF4; Wed, 26 Aug 2020 00:35:30 -0400 (EDT)
Date: Wed, 26 Aug 2020 00:35:30 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: saag@ietf.org
Message-ID: <20200826043530.GZ37427@straasha.imrryr.org>
Reply-To: saag@ietf.org
References: <20200728191331.GV41010@kduck.mit.edu> <e928e548-f82d-2809-200e-0fc4ac93db14@cs.tcd.ie> <20200728194235.GY41010@kduck.mit.edu> <5ac5c357-0eeb-d321-c743-03817684fe22@sandelman.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5ac5c357-0eeb-d321-c743-03817684fe22@sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/6PQ76Uxrly2VACG0xYi-GfgIwAk>
Subject: Re: [saag] height of PKI
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2020 04:35:33 -0000
On Tue, Aug 25, 2020 at 11:14:24PM -0400, Michael Richardson wrote: > On 2020-07-28 3:42 p.m., Benjamin Kaduk wrote: > > Sorry for the clumsy description. Basically, if you squint hard, you could > > claim that at least some types of pinning are actually a PKI, just a > > degenerate PKI. E.g., in a PKI I have to pin at least one trust anchor as > > the root of the PKI, and if that pinned trust anchor just happens to also > > be the certificate directly used in the protocol, it's still a PKI, just a > > tree of height one. > > I had suggested that a PKI that consisted of ROOT, Intermediate, and EE > had a height of "three". > Some disagreed, and said that the EE didn't count, and it was a height > of "two" > Others disagreed: the EE counts, but the root doesn't count, so it's a > height of "two" > > So is your case above a height of "one", or a height of "zero" > > If there is a definitive answer, I haven't found it yet. What's "definitive"? And which certificate is at depth 0, the root or the leaf? These questions have no answer (different X.509 libraries answer them differently), just be clear about your notation in context. You could of course go with RFC5280, but its numbering is by no means universally used. -- Viktor.
- Re: [saag] height of PKI Russ Housley
- [saag] On PKI vs. Pinning (SAAG 108 preview) Benjamin Kaduk
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Stephen Farrell
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Benjamin Kaduk
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Stephen Farrell
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Ben Laurie
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Stephen Farrell
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Salz, Rich
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Carsten Bormann
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Ben Laurie
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Stephen Farrell
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Nico Williams
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Benjamin Kaduk
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Eric Rescorla
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Peter Gutmann
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Yaron Sheffer
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Richard Barnes
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Daniel Migault
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Michael Richardson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Michael Richardson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Martin Thomson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Christian Huitema
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Yaron Sheffer
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Michael Richardson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Yaron Sheffer
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Viktor Dukhovni
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Nico Williams
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Michael Richardson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Nico Williams
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Viktor Dukhovni
- [saag] height of PKI Michael Richardson
- Re: [saag] height of PKI Viktor Dukhovni
- Re: [saag] height of PKI Michael Richardson
- Re: [saag] height of PKI Michael Richardson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Michael Richardson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Nico Williams
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Michael Richardson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Eric Rescorla
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Stephen Farrell
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Michael Richardson
- Re: [saag] On PKI vs. Pinning (SAAG 108 preview) Stephen Farrell