On Sun, Oct 06, 2013 at 02:38:50PM -0700, Jim Schaad wrote:
> 5. As I have stated before, I am not a fan of using DANE-TA for value 2.
> To me this loses the fact that there will be PKIX processing that occurs
> with this section. I would strongly recommend that this become PKIX-TA.
I think that would confuse almost everyone. The "PKI" part of PKIX
carries inappropriate in this context mental baggage.
Yes, any trust-anchor implies validating certificate chains,
performing name on the leaf, ... Thus the mechanics of validating
usage 2 associations are very similar to the mechanics of doing
the same with an a-priori configured public CA trust anchor. Alas,
when one hears PKIX, the associated mental baggage includes the
full panoply of public CAs and not does evoke the decentralized
DANE model.
Thus "TA" is IMHO already sufficient to imply all the relevant
technical features, without evoking unwanted mental associations.
> The use of PKIX-TA for the value of 0 never made any sense since there is
> not trust anchor decision that is associated with the certificate in this
> record. The only two records currently that have a trust anchor, as oppose
> to a constraint, component are 2 and 3.
Here, I've already agreed with you upthread, I think PKIX-CA is
better here (Paul Hoffman disagreed, but frankly I am not sure
how his response applies to the question at hand).
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
