On Sat, Aug 01, 2015 at 08:14:57PM -0700, Joel Jaeggli wrote:
> COMMENT:
>
> From fred baker's opsdir review, I would like to see a commnet on these
> from the authors.
Sure.
On Tue, Jun 23, 2015 at 07:32:56PM +0000, Fred Baker (fred) wrote:
> Summary: Ready to go, two comments that might be considered last call or IESG
> comments if the AD agrees.
>
> I think the opening paragraph of the introduction needs some tweaking.
>
> The DANE TLSA specification ([RFC6698]) introduces the DNS "TLSA"
> resource record type. TLSA records associate a certificate or a
> public key of an end-entity or a trusted issuing authority with the
> corresponding TLS transport endpoint. DNSSEC validated DANE TLSA
> records can be used to augment or replace the use of trusted public
> Certification Authorities (CAs).
The latest version is:
The DNS-Based Authentication of Named Entities (DANE) specification
([RFC6698]) introduces the DNS "TLSA" resource record type ("TLSA" is
not an acronym). TLSA records associate a certificate or a public
key of an end-entity or a trusted issuing authority with the
corresponding TLS transport endpoint. DANE relies on the DNS
Security Extensions (DNSSEC, [RFC4033]). DNSSEC validated DANE TLSA
records can be used to augment or replace the use of trusted public
Certification Authorities (CAs).
> I'm not an expert on this, but I think it would be more accurate to say
> that it replaces a PKI, not a CA. A CA probably deploys and operates a
> PKI. However, it does so in the context of a business - it vets entities
> that it will sell certificates to, and then sells them certificates, which
> it stores somewhere such as a PKI. I would expect that the CA, in this
> model, would have the same business (and hence is not replaced), but store
> its certificates in TLSA records instead of or in addition to in a PKI.
To me the paragraph looks fine as-is, it refers to augmenting or
replacing "the use of trusted public CAs", not the CAs themselves.
If we speak instead of replacing or augmenting the Web PKI, we'd
need to explain what the Web PKI is (a bunch of trusted public
CAs). So it is I think simpler to just say what is meant.
If the text does not look sufficiently clear to others, I'm open
to suggestions.
> In section 1.1, a number of terms are defined, including "public key". If
> "public key" needs definition (which it does, as the term is used to
> specifically refer to a field within a certificate, as opposed to a more
> general cryptographic usage), I think "Certificate Authority (CA)" and
> "Public Key Infrastructure (PKI)", which are also used throughout the
> document, require definition.
A definition of "public key" has already been added to the terminology
section. The term PKI is listed as "well-known" at:
https://www.rfc-editor.org/rfc-style-guide/abbrev.expansion.txt
The remaining proposed addition to the terminology section is "CA",
which is expanded on first use, but not specifically defined in
the terminology section. I might note that the terminology section
of RFC 6698 consists entirely of a reference to other RFCs:
This document also makes use of standard PKIX, DNSSEC, TLS, and
DNS terminology. See [RFC5280], [RFC4033], [RFC5246], and STD
13 [RFC1034] [RFC1035], respectively, for these terms. In
addition, terms related to TLS-protected application services
and DNS names are taken from [RFC6125].
Would anything like that be appropriate for this draft (which now
that I think of it still needs to add 6698 to the "updates" list)?
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
