On Sun, Nov 18, 2018 at 02:30:53PM +0000, Salz, Rich wrote: > > [ FWIW, TLS is trust-model agnostic, it is the WebPKI that uses the > usual panoply of CAs. ] > > No, it is not agnostic. It does support other trust models -- raw keys, > PGP web-of-trust -- but it's default and primary model from its inception > is X509 and its (so ingrained you might consider it implicit) "trust the > issuer" model. Look at the definitions of certs and CA's and things like > path validation in PKIX and its predecessors, the "trust anchors" which > builds on the chain model -- chained through *issuers* -- in the protocol, > and so on.
[ I don't know why you would choose to argue this point, let's not confuse TLS with the CA/B forum WebPKI in browsers. My post was about TLS. My post was emphatically not an attempt to revive the DANE chain discussion here, and was not even about DANE, nobody is looking forward to reopening that discussion here. However, since bashing DNSSEC is a popular sport, I may for the record, now and then post corrections to messages that mischaracterize DNSSEC. ] The X.509 trust-anchors are NOT specified in TLS, and need not be used. Long before DANE, Postfix supported "fingerprint" authentication, especially for email submission clients, which bypassed the WebPKI and never looked at the certificate issuer. Peter Gutmann may apprise you of similar usage in industrial automation. > The "usual panoply of CAs" is the WebPKI instantiation of a trust model, > but do not confuse it with the trust model itself. I have deployed several > instances of the X509/PKI trust model at work, and none of them use a > conventional WebPKI set of anchors. This was explicitly acknowledged and discussed in more detail in the message you're responding to. Yes, PKIX is not always the WebPKI, but in practice it typically is. > If DANE-TLS is to come back, the authors should use a new TLS certificate > type that is perhaps an X509 structure, but whose trust semantics are > defined by DANE. The recent IEEE vehicle cert did similar, and all it took > was a couple of pieces of email. There is simply no need for that. The existing X.509 encapsultion works just fine, and makes it possible to transparently interoperate with both DANE and CA/B forum WebPKI or other PKIX peers. For clients that can do DNSSEC lookups directly and reliably, DANE works in TLS with no friction. With DANE-TA(2) and DANE-EE(3) you get a different trust model, and DANE-TA(2) does use "trust the issuer", but the ultimately trusted issuer is delivered via DNSSEC TLSA records. DANE does not have to "come back". It is in use today, enabling authenticated SMTP to over 337 thousand email domains and growing: http://stats.dnssec-tools.org/#graphs DANE TLS for SMTP is supported by Postfix, Exim, Halon, PowerMTA, Cisco ESA, ... There are also consumer email providers with millions of users that employ DANE in both directions: comcast.net, web.de, gmx.de, freenet.de, ... and more planned. -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls