Re: [Uta] WGLC for draft-ietf-uta-rfc6125bis-06

[Viktor Dukhovni <ietf-dane@dukhovni.org>]

On Mon, Jun 27, 2022 at 05:15:09PM +0000, Salz, Rich wrote:

> Does a DANE certificate have the same "name" as a non-DANE
> certificate?

Yes, the name is a DNS name, and for DANE certificate usages PKIX-TA(0),
PKIX-EE(1) and DANE-TA(2) the same logic applies to the EE certificate
as in PKIX with WebPKI trust anchors.

> If the subjectAltNAME for a DANE-based certificate is the same as for
> non-DANE, then yes the rules should apply. If not, no.

Modulo cases (e.g. SMTP) where with DANE-EE(3) the presented identifiers
in the peer certificate may be entirely ignored.

> Note that "validating the chain" is *not* part of 6125 nor 6125bis.
> Quoting from the Applicability section: This document addresses only
> name forms in the leaf "end entity" server certificate.   It does not
> address the name forms in the chain of certificates used to validate a
> cetrificate, let alone creating or checking the validity of such a
> chain.  In order to ensure proper authentication, applications need to
> verify the entire certification path as per {{PKIX}}.
>
> Perhaps the last few words could or should be
> 	Such as per {{PKIX}} or {{DANE}}.

Sure, but I don't know that this needs to be stated explicitly,
applications that elect DANE are well aware that they're in part or in
whole deviating from PKIX.  But if there's a concern that this text in
essence "forbids" DANE, the text could simply delete "as Per {{PKIX}}".
There may other certificate chain verification modes in the future.

-- 
    Viktor.