Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC

Paul Hoffman <> Tue, 05 October 2010 19:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A3DBF3A6FEE; Tue, 5 Oct 2010 12:02:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -101.406
X-Spam-Status: No, score=-101.406 tagged_above=-999 required=5 tests=[AWL=0.640, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hrR08f0ZmEmj; Tue, 5 Oct 2010 12:02:12 -0700 (PDT)
Received: from (Hoffman.Proper.COM []) by (Postfix) with ESMTP id CA3483A6FD9; Tue, 5 Oct 2010 12:02:12 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.14.4/8.14.3) with ESMTP id o95J37It091667 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 5 Oct 2010 12:03:08 -0700 (MST) (envelope-from
Mime-Version: 1.0
Message-Id: <p0624080ac8d126dec2c4@[]>
Date: Tue, 5 Oct 2010 12:03:06 -0700
To: Phillip Hallam-Baker <>
From: Paul Hoffman <>
Content-Type: text/plain; charset="us-ascii"
Subject: Re: [TLS] [pkix] Cert Enumeration and Key Assurance With DNSSEC
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 Oct 2010 19:02:13 -0000

As much as I hate to spam multiple lists, I need to correct a technical error. And, really, this discussion should be happening on the keyassure mailing list.

At 12:56 PM -0400 10/5/10, Phillip Hallam-Baker wrote:
>But the design approach taken in the Hoffman et. al. proposal is that publication of a DNSSEC assurance for a cert disables verification on the PKIX chain unless the 'preferences' flag is set.

That statement was untrue in draft-hoffman-keys-linkage-from-dns-02, and the flag was removed in -03.

--Paul Hoffman, Director
--VPN Consortium