IETF Logo Mail Archive

Re: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC

Shumon Huque <shuque@upenn.edu> Sat, 17 November 2012 18:18 UTC

Return-Path: <shuque@upenn.edu>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9070821F8473 for <therightkey@ietfa.amsl.com>; Sat, 17 Nov 2012 10:18:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6pyde1bLcfs4 for <therightkey@ietfa.amsl.com>; Sat, 17 Nov 2012 10:18:41 -0800 (PST)
Received: from mopeypopo.net.isc.upenn.edu (www.huque.com [IPv6:2607:f470:2:1::a:2]) by ietfa.amsl.com (Postfix) with ESMTP id 7FF0B21F8BF5 for <therightkey@ietf.org>; Sat, 17 Nov 2012 10:18:40 -0800 (PST)
Received: by mopeypopo.net.isc.upenn.edu (Postfix, from userid 500) id 847AEA5003; Sat, 17 Nov 2012 13:18:39 -0500 (EST)
Date: Sat, 17 Nov 2012 13:18:39 -0500
From: Shumon Huque <shuque@upenn.edu>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Message-ID: <20121117181839.GA25913@isc.upenn.edu>
References: <2B12532F-90DE-4265-9EDB-38F49B5CA951@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <2B12532F-90DE-4265-9EDB-38F49B5CA951@vpnc.org>
Organization: University of Pennsylvania
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: "therightkey@ietf.org" <therightkey@ietf.org>
Subject: Re: [therightkey] Defining CT-for-PKIX and CT-for-DNSSEC
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Nov 2012 18:18:42 -0000

On Sat, Nov 17, 2012 at 08:01:10AM -0800, Paul Hoffman wrote:
> CT-for-PKIX helps a web site administrator determine if a trusted CA ever issued a certificate that should not have been issued.  
> 
> CT-for-DNSSEC helps a DNS zone administrator determine whether a DNS server in the hierarchy above the leaf zone ever included a DS record that should not have been included.
> 
> It would be good to have agreement on the above; feel free to offer changes and see if the authors agree. Then we can talk about the relationship between the two.
> 

Sounds reasonable to me.

Does "CT" need to be renamed for DNSSEC? Since we're talking about 
transparency of delegation records/keys and not X.509 certificates. 
If C means "certification" in the general sense, then I suppose it
might still be applicable since a (signed) DS record certifies the
authenticity of the secure entry point key in a subordinate zone.

-- 
Shumon Huque
University of Pennsylvania.

v2.23.0 | Report a Bug | By Email