On 7/28/15 5:44 PM, Shumon Huque wrote:
> I'd prefer to wait till the trans-ct-dnssec draft has progressed a bit
> more before considering DNSSEC key transparency issues.
>
> It looks like that draft proposes SCT RRs (with DS+chain data in them,
> signed by log providers), so we could in the future incorporate SCT RRs
> in the chain.
That draft really is pretty immature and at this point it's not
clear whether and how it's going to progress. Paul Wouters can
speak for himself about where he thinks the draft needs to go
but I think it does bear pointing out that he's offered to help
out with content, given that he's got considerable DNS and DNSSEC
expertise. If the document does continue to progress I would
expect quite substantial changes.
> I believe Eric's question was about why this couldn't be done via a new
> 'Certificate Type' (and not about embedding the chain in the X.509
> cert). I presume the idea being the new certificate type would allow
> both the server's X.509 certificate chain and the corresponding
> DANE/DNSSEC chain to be delivered in the server's Certificate Message. I
> believe the argument for doing it via a new TLS extension was that it
> would allow us to mandate the use of the DANE chain ("Must staple DANE")
> via the X.509 TLS Feature Extension.
Well, sort of. We did talk about creating a new certificate
extension rather than a TLS extension but opted not to. The
one advantage of an X.509 extension would have been that it wouldn't
require protocol changes, but it still would have required modifying
both the server and the endpoint.
Melinda
--
Melinda Shore
No Mountain Software
melinda.sh...@nomountain.net
"Software longa, hardware brevis."
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
