[Cryptech Tech] Some problems with the repo access

[Rob Austein]

At Sat, 15 Feb 2014 20:29:26 +0100, Jakob Schlyter wrote:
> 
> If you do TLSA 2 0 0, only DANE w/ DNSSEC validation will be enough;
> there is no difference trust-wise compared to TLSA 3 x x - no path
> validation outside DANE will be performed, the TLS client will just
> match the DNS-published cert to the EE cert issuer, apply path
> validation (key usage et al) and be done with it.

Usage 3 with hash just checks the key.  Usage 2 with full CA
certificate checks all the X.509 semantics of CA and EE and CRL and
OSCP and ..., but with a CA supplied via the TLSA RR and no external
chain to muddy the waters.

Whether there's any real value in things like CRLs or OSCP when using
DANE is a potentially interesting question, but the point is that
usage 2 preserves all the normal X.509 semantics rather than
short-circuiting them.

I am not convinced that it's necessarily a good idea to abandon all
the X.509 machinery we've worked out over the years.  The horribly
broken browser bag of untrusted "trust anchors" model, sure, that's
just stupid, but the rest of it is a bit murkier.

With the usage 2 setup, there are no race conditions when one updates
an EE certificate (assuming it was issued by the same CA, but in my
case it would be).  If one wants to use OSCP to provide
near-instantaneous revocations without messing about with the DNS, one
can.   One doesn't have to muck with the DNS as often, which,
depending on one's operational setup, might be an issue.  Etc.

I have nothing against the 3 1 1 hashed EE certificate model, it's
fine if it fits what you want to do.  I just don't think it's a one
size fits all solution.