Viktor,
On Sun, Oct 06, 2013 at 02:38:50PM -0700, Jim Schaad wrote:
5. As I have stated before, I am not a fan of using DANE-TA for value 2.
To me this loses the fact that there will be PKIX processing that occurs
with this section. I would strongly recommend that this become PKIX-TA.
I think that would confuse almost everyone. The "PKI" part of PKIX
carries inappropriate in this context mental baggage.
Yes, any trust-anchor implies validating certificate chains,
performing name on the leaf, ... Thus the mechanics of validating
usage 2 associations are very similar to the mechanics of doing
the same with an a-priori configured public CA trust anchor. Alas,
when one hears PKIX, the associated mental baggage includes the
full panoply of public CAs and not does evoke the decentralized
DANE model.
no for everyone :-). PKIX RFCs do not address the public TA/CA
model in browsers to which you refer. So the mental baggage to which
you refer is an example of an inappropriate-sized carry on (to run
that metaphor into the ground).
Steve
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
