Re: [therightkey] [dane] DANE and CT

Tom Ritter <tom@ritter.vg> Wed, 14 November 2012 16:37 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 277CB21F84B6 for <therightkey@ietfa.amsl.com>; Wed, 14 Nov 2012 08:37:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V2P5k35V4ZpE for <therightkey@ietfa.amsl.com>; Wed, 14 Nov 2012 08:37:38 -0800 (PST)
Received: from mail-yh0-f44.google.com (mail-yh0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 6B99021F857E for <therightkey@ietf.org>; Wed, 14 Nov 2012 08:37:38 -0800 (PST)
Received: by mail-yh0-f44.google.com with SMTP id 56so122986yhq.31 for <therightkey@ietf.org>; Wed, 14 Nov 2012 08:37:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=pwbgCmqI5i/G/yrvqjWD8+UAEBxmRFvbiMO2k7lA71g=; b=Tf6fFpkEA4z1Hv/PiWddOF0DGXCLgHDWgCxdyOYMshhdIuo3WdNzCy6HsGRh91mzeU GuVmCBt1+xg5fBBsjA5GnD8LQXmHvgZgZe26ZZmIRPOdrfuKrBLvbJPgIp3UrqwpkdJR fopYGJ8p/dAcHNW9E1TCYCosfs2CkABp3LpHY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=pwbgCmqI5i/G/yrvqjWD8+UAEBxmRFvbiMO2k7lA71g=; b=mDVBbRzNM0NF8BrdYsmjGn+VagQZj9JkmIA6vHe1rXkzBIZnZrMRsw5pgE2/2yd4jA ZirxaxWJNecu5acFDU/xdyVE0EZauQtynAzaK/nV/buZ5Sm5acX7fKS6roSobeS2fYzQ gk7HsZ89wnC+I5piKfXeJk/ZAlycRUnuWKN2hNQexv6AsUoWWN9L6SYlV6WuXzmV7e1u dd1PkI32kRpvwSaIurYR8pqc8di1V7z74EvWWD3+KBa3jXRaLfWuYOwmunzMqmjNf7pK NoA0yTTBk8jnQaDOAEIOqnqGnYpNJqowJKTmJJKcz3bmy+IqxOnDwWiYjuDcbWMEC043 dLCQ==
Received: by 10.58.221.228 with SMTP id qh4mr32457359vec.49.1352911057898; Wed, 14 Nov 2012 08:37:37 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.151.178 with HTTP; Wed, 14 Nov 2012 08:37:17 -0800 (PST)
In-Reply-To: <alpine.LFD.2.02.1211141124490.4326@bofh.nohats.ca>
References: <CABrd9SRyv+UerPJBf+gw47nWj3t4ekHRnWsKC0pHcadHV5mvmw@mail.gmail.com> <alpine.LSU.2.00.1211141601220.27013@hermes-1.csi.cam.ac.uk> <CABrd9SQ7mt_DSkVimrJ03K9suXEQzYSc_vZ3qUtGLCiphvRetQ@mail.gmail.com> <alpine.LFD.2.02.1211141124490.4326@bofh.nohats.ca>
From: Tom Ritter <tom@ritter.vg>
Date: Wed, 14 Nov 2012 11:37:17 -0500
Message-ID: <CA+cU71nnjVKhiydsfjvY4VZv_JFJSge4iX4e9b0tbbVvTjD=Pg@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: multipart/alternative; boundary="047d7bdc7a9a04ced304ce772724"
X-Gm-Message-State: ALoCoQmIWg2IWNKgm3lZDbmaoBIhZzNr8C8nMORJwwcpMnyOGDsrHFDudmWwiyaRMvnbGSqgrWOl
Cc: therightkey@ietf.org, Ben Laurie <benl@google.com>, IETF DANE WG list <dane@ietf.org>
Subject: Re: [therightkey] [dane] DANE and CT
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Nov 2012 16:37:39 -0000

On 14 November 2012 11:30, Paul Wouters <paul@nohats.ca> wrote:

> I think CT is a bandaid for PKIX that does not apply to DANE.
>

Perhaps not DANE - but DNSSEC.  PKIX allows N CAs to issue unlimited
trusted certs for your domain.  DNSSEC allows 1 TLD to issue unlimited
trusted signing keys for your domain.  Maybe it's the KSK that should go
into a log?

-tom