Warren Kumari <[email protected]> writes: > PKIX-TA > PKIX-CA > DANE-<something>
That's exactly the order I'd prefer. Types 0/1 require PKIX, so the prefix makes sense and I like the alignment that allows: |---------+---------| | PKIX-TA | PKIX-EE | |---------+---------| | DANE-TA | DANE-EE | |---------+---------| (even though a future type 5 may not align well, those four still can and probably should) That being said, I'm fine with PKIX-CA as well. I disagree(ish) that a type 0 reference is not a trust-anchor and thus shouldn't be called that. And the reason I disagree is that though in-itself it isn't one because the true trust anchor must also be pre-programmed, it still is very much restricting use to a single TA and pointed to as a reference. Thus it truly is being used as a form of trust, because both the internally recorded TA and the DANE TLSA record must match or all bets are off. Thus they're both equally as important when DANE is in play. -- Wes Hardaker Parsons _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
