On Mon, Dec 02, 2013 at 01:44:49PM -0500, Warren Kumari wrote:
> So, lets try and get this "what to call it" question nailed down
> once and for all.
>
> Please express a preference for:
>
> PKIX-TA
> PKIX-CA
> DANE-<something>
>
> I don't think that anyone really *loves* any of the above, so an
> even better outcome is that someone proposes a better acronym that
> everyone likes...
We should attempt to capture something of the flavour of (be at
least as clear as) the short names in RFC 6698:
0 - "CA constraint"
1 - "service certificate constraint"
2 - "trust anchor assertion"
3 - "domain-issued certificate"
Of these 0 and 2 are reasonably clear, while 1 and especially 3
are a bit oblique. Thus the shorter acronyms I would propose are:
0 CA-CHECK
1 EE-CHECK
2 DANE-TA
3 DANE-EE
The word "check" is one of the shorter synonyms for "constraint"
when used to mean "restriction". If brevity is not a major priority,
we could use "CONSTRAINT" rather than "CHECK".
The above has the advantage of not using "PKIX" as a contrast to
DANE in 0/1, which was problematic, because 2 is also PKIX, just
with a dynamically established X.509 trust anchor. The only non
PKIX usage was 3.
A similar alternative is:
0 LIMIT-CA
1 LIMIT-EE
2 DANE-TA
3 DANE-EE
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
