On Wed, May 22, 2013 at 03:31:21PM +0200, Christian Becker wrote:
> Viktor Dukhovni:
> > On Wed, May 22, 2013 at 11:13:42AM +0200, Christian Becker wrote:
> >
> >> what is the intended outcome validating a record TLSA 2 x x, where the
> >> specified trust anchor certificate was already revoked by a CA? Does
> >> PKIX certification path validation include revocation checks?
> >
> > With certificate usages "2" and "3" there is no PKIX validation
> > above the trust-anchor or EE certificate respectively. The party
> > publishing the TLSA RR is responsible for updating the TLSA record
> > when the certificate in question is no longer trustworthy. This
> > is properly a responsibility of the domain owner, I should add a note
> > about this to the next revision of the ops draft...
>
> Thanks for your answer. I only supposed that there is or should be an
> answer on the protocol level as well to this situation where there might
> be conflicting information from PKIX validation and DANE.
The whole point of "2" and "3" is that the existing public CA PKI
(I think that's what you mean by PKIX) is out of scope, neither
trusted nor consulted. Thus a DANE trust anchor with usage 2/3 is
never revoked, it is simply replaced by the domain owner publishing
updated TLSA records.
>From where I sit, this is much better than revocation lists, OCSP,
... Eventually the TA is domain issued (not just a transitional
reference to a public CA) and so updating the DNS is a simple local
matter, more convenient than pushing revocations to a CA.
The operational requirement is to avoid excessively long signature
validity, which means resigning the DNS zone at least daily for
sites with high value keys. For my personal domain, weekly resigning
will likely do just fine.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
