On 5.2.2015, at 6.25, Dmitry Anipko <dmitry.anipko@xxxxxxxxx> wrote: > My reading is that there is a consensus to fix the name misspelling :-), but I could not quite read whether the PKI question got resolved. Markus, can you please comment whether the modification Ted worded would address your concern? Sorry, I got sidetracked to writing security a audit document and never got back. We all have our guilty pleasures.. Anyway, haha ;) Guess we agree about something at least! > > So final suggestion - get rid of DANE, get rid of TLS, and probably rework the text in that paragraph a bit to make it simpler. As-is, both DANE and TLS mention seem superfluous. > I'm skeptical about this--I think it's good to mention DANE. DNSSEC is in effect a PKI, but it's quite a bit different than the other common PKI example. How about "a PKI, for example DNSSEC/DANE or X.509?" That way we don’t lose the mention of DNSSEC, but keep it open to other PKIs. If simplification is not desired, I guess we can work that in too. DANE is just about binding a (DNS) label + port + protocol using various selectors to a X.509 certificate (either CA or end node one). Text in question: If authentication is done using a public key mechanism such as a TLS certificate or DANE, authentication by itself is not enough since theoretically any PvD could be authenticated in this way. In addition to authentication, the node would need configuration to … I am not sure where this DNS label + port + protocol combination would be derived from this case, but admittedly (say) using DHCPv6 or something might make sense in this case. So.. my proposed version: If authentication is done using a public key mechanism such as PKI certificate chain validation or DANE, authentication by itself is not enough since theoretically any PvD could be authenticated in this way. In addition to authentication, the node would need configuration to As the text talks of public key authentication mechanisms, I think PKI certificate chain validation and DANE both qualify. The old text’s ’TLS certificate’ is just weird to me, although I understand the idea is fundamentally the same. Cheers, -Markus