Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 04 October 2010 16:04 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CB20F3A6FE8; Mon, 4 Oct 2010 09:04:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.813
X-Spam-Level:
X-Spam-Status: No, score=-102.813 tagged_above=-999 required=5 tests=[AWL=-0.214, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oDwLQErRl0ZP; Mon, 4 Oct 2010 09:04:13 -0700 (PDT)
Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:21b:21ff:fe3a:3d50]) by core3.amsl.com (Postfix) with ESMTP id A04943A6FC9; Mon, 4 Oct 2010 09:04:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 619813E40F4; Mon, 4 Oct 2010 17:05:06 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1286208306; bh=9wi2BIw07IQ1bZ BPbnrLZGsxDFaCDfR8Fexn4QEEdZk=; b=kGrgV+/R4SEe+9zJ0tQwQvvz3rwVob oN3X5kr6fmryIRHU5BR8q0cc1sO8cuFD21a1vvsV9hAk8vIFnS9evoX8+j72erwH 5xPH/AEehECr9QGMjY67TeXS3kdn3fh7m+dyDnuogGpJ1E0v2Xsepe02v4EgZaKj YhOWOdxoMgCdi3Pk/GCtnwNWk5286RQNRIU1Xz9lm2Z7FRXmL8iW6W7RiuZ0fRxC RR0885M3I4rjiwCn5rFmD30PsfIwhBw8XieHEdmt/NOE+g+460InrKdrACBRqyOg gZaWV+RvUrhu+v7Hz6YLXx/P91RKJ2xt2TgdgyHGJVnuRQhR44pLwciw==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id gzhax3g9s9lp; Mon, 4 Oct 2010 17:05:06 +0100 (IST)
Received: from [134.226.36.137] (stephen-samy.dsg.cs.tcd.ie [134.226.36.137]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id D7DE63E40F0; Mon, 4 Oct 2010 17:05:05 +0100 (IST)
Message-ID: <4CA9FB2F.4000300@cs.tcd.ie>
Date: Mon, 04 Oct 2010 17:05:03 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.12) Gecko/20100915 Lightning/1.0b1 Thunderbird/3.0.8
MIME-Version: 1.0
To: mrex@sap.com
References: <201010041437.o94EbTHT029454@fs4113.wdf.sap.corp>
In-Reply-To: <201010041437.o94EbTHT029454@fs4113.wdf.sap.corp>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: dnsop@ietf.org, saag@ietf.org, pkix@ietf.org, tls@ietf.org
Subject: Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Oct 2010 16:04:14 -0000

On 04/10/10 15:37, Martin Rex wrote:
> One thing that needs to be addressed/solved is the key/cert rollover
> for any TLS-Server, so that it is possible to list more than one
> server cert as "valid" for a Server through DNS, at least for the
> time of the transition/rollover.

Maybe a side-issue here, but this came up in the W3C WSC work and
I wrote up an idea for that (not based on DNS) which is RFC 5697. [1]
No idea if anyone is using or would use it, though I did have a student
implement it, so it *could* work. (Note: that's an experimental-track
RFC, as it ought be:-)

S.

[1] http://tools.ietf.org/html/rfc5697