On Sep 19, 2013, at 7:11 PM, Viktor Dukhovni <[email protected]> wrote:
> On Thu, Sep 19, 2013 at 10:10:35PM +0000, Viktor Dukhovni wrote: > >> Agreed on PKIX-TA vs. PKIX-CA. > > On second thought, I am not so sure, the CA constraint with usage > 0, is NOT a trust-anchor, the trust-anchor is still the PKIX root CA. > > This usage requires the presence of a given CA (root or intermediate) > in the chain, but does not promote that CA to a trust anchor (as > with usage 2). So perhaps the original PKIX-CA is in fact better. PKIX is not clear if there are PKIX TAs that are not CAs, as we discussed extensively earlier in this WG. We do not need to open those wounds with molten salt. Either term is probably technically accurate, and we won't know for sure. The rest of this document seems fine, and is a valuable addition to the DANE world. --Paul Hoffman _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
