On Mon, Oct 07, 2013 at 09:42:50AM -0400, Stephen Kent wrote:
> Viktor,
> >>To me this loses the fact that there will be PKIX processing that occurs
> >>with this section. I would strongly recommend that this become PKIX-TA.
> >
> >I think that would confuse almost everyone. The "PKI" part of PKIX
> >carries inappropriate in this context mental baggage.
>
> So the mental baggage to which you refer is an example of an
> inappropriate-sized carry on (to run that metaphor into the ground).
Yes, but I still think many will find PKIX-TA confusing as a
description of usage 2. It is easier to roughly divide the usages
into
- 0/1 (PKIX, that is public CA verified, DNSSEC constrained)
and
- 2/3 (DANE, that is DNSSEC verified)
though I freely admit that indeed the PKIX specification is
silent on the origin of the TA, and technically quite suitable to
usage 2. Indeed many of the implementation flaws I pointed out
some months back this spring, (in then extant DANE implementations),
were related to failure to properly verify usage 2 chains (it was
a common error to simply check that the peer's chain contained the
associated TA certificate without checking that the TA actually
authenticates a valid chain leading to the EE certificate).
So perhaps the bottom line is that no matter which acronyms we
adopt, confusion will reign until we have ample implementation
guidance (and even then of course some will remain perpetually
confused).
I originally had implementation notes in the DANE ops draft, but
decided to focus just on operational issues, in the end. Perhaps
there should be a separate document with guidance and warnings for
implementation developers.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
