Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item
Michael D'Errico <mike-list@pobox.com> Thu, 02 June 2011 00:12 UTC
Return-Path: <mike-list@pobox.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E70BCE0758; Wed, 1 Jun 2011 17:12:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lgYLHiC-vZQR; Wed, 1 Jun 2011 17:12:47 -0700 (PDT)
Received: from sasl.smtp.pobox.com (a-pb-sasl-sd.pobox.com [64.74.157.62]) by ietfa.amsl.com (Postfix) with ESMTP id 0743FE06EB; Wed, 1 Jun 2011 17:12:46 -0700 (PDT)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id 354EB5301; Wed, 1 Jun 2011 20:14:54 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=rAT14u/PnnlT 9njGwwRAjppPf6w=; b=HwzkKa8w9pOi970ZPqVd1J45cSuKi9WkpGFjYcY6zH5T 4DEqnaDsjfXAi5klw7xzFweJob+mlQuhHqdgaH8mLV7JiWYMtRwhc0qtXJ5spZtH vpXoSCkvq/coM9nbZWmzvGkdjz0uDlOApa3lusZk9hZ6KtJhnkf4EUwGVRormxw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=M3OkeU u87FlFEX4q9sMWYfPWfQZZFvzj+U3ebiMPVyqzZA8lzjIDzkq7f/TascPgoYnGQe xCq/35aHqLHJPcYHaIq41csuN8V20F2vjbN/pHfAGT5fanbljUr7EXs38F7we24v zMfSBKNtvHo0qvdk1KF7ClTJIHo+xWqKktc+U=
Received: from a-pb-sasl-sd.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id E2B065300; Wed, 1 Jun 2011 20:14:50 -0400 (EDT)
Received: from iMac.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTPSA id 1637C52FF; Wed, 1 Jun 2011 20:14:46 -0400 (EDT)
Message-ID: <4DE6D575.2000808@pobox.com>
Date: Wed, 01 Jun 2011 17:12:37 -0700
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302)
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <BANLkTi=XZWwT0585uAuBmiUJr6eBjfgWmQ@mail.gmail.com> <C9FFF697.21E29%stefan@aaa-sec.com> <BANLkTiktoc+3t-rPgwRtx60UrrDy=vz0bg@mail.gmail.com> <p06240814ca0c32f70867@192.168.1.12> <44C530E6-3EF1-491C-9FC8-89BE12DB4ED5@vpnc.org> <p0624081bca0c624c205a@192.168.1.12> <BANLkTim-LEYNdn4f5-keRQLO+7FhfYXdwg@mail.gmail.com> <C26E1DE3-E036-45D1-B074-DEA4F2254D7C@vpnc.org>
In-Reply-To: <C26E1DE3-E036-45D1-B074-DEA4F2254D7C@vpnc.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 553A7E4E-8CAD-11E0-BCCC-D6B6226F3D4C-38729857!a-pb-sasl-sd.pobox.com
Cc: pkix@ietf.org, TLS Mailing List <tls@ietf.org>
Subject: Re: [TLS] [pkix] Proposing CAA as PKIX Working Group Item
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2011 00:12:48 -0000
Paul Hoffman wrote: > > I support the PKIX WG adopting as a work item (wording taken from the CAA draft's text) "DNS Resource Records that allow a DNS domain name holder to specify the certificate signing certificate(s) authorized to issue certificates for that domain". I haven't read the draft, but from the quote it appears that this could improve the weakest part of TLS (as it is used today in browsers) where any of the hundreds of preinstalled root CAs is trusted to issue a certificate to any possible domain name. [CC'ed to the TLS working group] Mike
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Peter Gutmann
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Michael D'Errico
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Yoav Nir
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Phillip Hallam-Baker
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Yoav Nir
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Marsh Ray
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Phillip Hallam-Baker
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Peter Gutmann
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Marsh Ray
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Yoav Nir
- Re: [TLS] Proposing CAA as PKIX Working Group Item Geoffrey Keating
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… koichi sugimoto
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Peter Gutmann
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Yoav Nir
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Yoav Nir
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Peter Gutmann
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Yoav Nir
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Peter Gutmann
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Phillip Hallam-Baker
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Phillip Hallam-Baker
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Marsh Ray
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Martin Rex
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Yoav Nir
- Re: [TLS] [pkix] Proposing CAA as PKIX Working Gr… Tom Gindin