Re: [TLS] Why TLSA RR and not CERT RR?
Robert Moskowitz <rgm-sec@htt-consult.com> Sun, 26 June 2022 13:32 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C71CFC14F74B for <tls@ietfa.amsl.com>; Sun, 26 Jun 2022 06:32:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.784
X-Spam-Level:
X-Spam-Status: No, score=-3.784 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.876, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t5RCAa_rDHTJ for <tls@ietfa.amsl.com>; Sun, 26 Jun 2022 06:32:38 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47BB3C14F739 for <tls@ietf.org>; Sun, 26 Jun 2022 06:32:38 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 51A726250B; Sun, 26 Jun 2022 09:31:52 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id RQjc0QPMbWpc; Sun, 26 Jun 2022 09:31:42 -0400 (EDT)
Received: from [192.168.160.11] (unknown [192.168.160.11]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 28E6F624D4; Sun, 26 Jun 2022 09:31:42 -0400 (EDT)
Content-Type: multipart/alternative; boundary="------------iIRztn7XwcVOg8MDn4s4YaR0"
Message-ID: <108daf4e-37e0-f32e-cf1b-70d51c45987a@htt-consult.com>
Date: Sun, 26 Jun 2022 09:32:24 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Eric Rescorla <ekr@rtfm.com>
Cc: tls <tls@ietf.org>
References: <fbd4826a-8604-9170-b7ea-a5ed86ef1462@htt-consult.com> <CABcZeBP3ew2YXKgcfgQwzBTPjG=diAYURBJ+8d1ULJ3pHSUigg@mail.gmail.com>
From: Robert Moskowitz <rgm-sec@htt-consult.com>
In-Reply-To: <CABcZeBP3ew2YXKgcfgQwzBTPjG=diAYURBJ+8d1ULJ3pHSUigg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JdA4PmLl_S2kPqr4_D9m1Vo6Y2s>
Subject: Re: [TLS] Why TLSA RR and not CERT RR?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jun 2022 13:32:42 -0000
Kind of thought so. So where do I ask where CERT records are being used? thanks On 6/26/22 09:22, Eric Rescorla wrote: > Well, this really isn't a question for the TLS WG as DANE is external > to TLS. > > With that said, ISTM that the primary purpose of DANE is to indicate > which certificates are acceptable rather than to convey them, as TLS > already knows how to convey them. > > -Ekr > > > On Sun, Jun 26, 2022 at 5:05 AM Robert Moskowitz > <rgm-sec@htt-consult.com> wrote: > > Recently I have been in a discussion about DNS RR that hold X.509 > certificates. > > I am asking this here, as I *Think* there may be some knowledge here > without me joining other lists... > > I was aware of DANE's rfc6698 that holds both X.509 certs or > SubjectPublicKeyInfo. > > But I was pointed at rfc4398 Which does NOT handle > SubjectPublicKeyInfo, but handles X.509 and other formats. > > Interesting that they both end in '98' and this is way after Jon was > around seeing to how RFC numbers were assigned :) > > What was the deciding point not to use 4398 for DANE? (and now DANCE) > > What is 4398 currently used for? Why was it not just updated to add > SubjectPublicKeyInfo rather than add a new RR? > > And then there is rfc7250 which references 6698... > > Thank you. > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Why TLSA RR and not CERT RR? Robert Moskowitz
- Re: [TLS] Why TLSA RR and not CERT RR? Eric Rescorla
- Re: [TLS] Why TLSA RR and not CERT RR? Robert Moskowitz
- Re: [TLS] Why TLSA RR and not CERT RR? Robert Moskowitz
- Re: [TLS] Why TLSA RR and not CERT RR? Eric Rescorla
- Re: [TLS] Why TLSA RR and not CERT RR? Robert Moskowitz
- Re: [TLS] Why TLSA RR and not CERT RR? Viktor Dukhovni
- Re: [TLS] Why TLSA RR and not CERT RR? Jim Reid
- Re: [TLS] Why TLSA RR and not CERT RR? Robert Moskowitz
- Re: [TLS] Why TLSA RR and not CERT RR? Robert Moskowitz
- Re: [TLS] Why TLSA RR and not CERT RR? Robert Moskowitz
- Re: [TLS] Why TLSA RR and not CERT RR? John Levine
- Re: [TLS] Why TLSA RR and not CERT RR? Phillip Hallam-Baker