Skip to main content

Shepherd writeup

1. Summary

Paul Hoffman is the document shepherd; Stephen Farrell is the responsible AD.

This document is a small update to RFC 6698, the specification for the
DNS-Based Authentication of Named Entities (DANE) Transport Layer Security
(TLS) Protocol, also known by its DNS RRset name, TLSA. The revision has one
narrow purpose: to give the three numeric fields in the RRtype definition
mnemonic names. This is meant to allow easier discussion of TLSA, particular
for the "certificate usage" field that specifies what type of public key is in
the TLSA record. Because this draft updates a standards track RFC, the draft is
meant to be a proposed standard as well.

2. Review and Consensus

The short document was thoroughly reviewed in the WG. That very active
discussion among many people led to some very deep divisions in the WG about
what the "certificate usage" fields should be called. The WG chairs called
rough consensus, but a significant number of people in the WG disagreed that
there was consensus at all. It should be noted that the WG has consensus that
some terminology is better than just having the numbers in RFC 6698; however,
there are strong opinions for three or four different sets of terminology. I do
not believe that the wording in the current draft represents "rough consensus"
but, at the same time, I don't see any of the other options as having
noticeably more consensus.

3. Intellectual Property

I did not confirm that each author has stated that their direct, personal
knowledge of any IPR related to this document has already been disclosed, in
conformance with BCPs 78 and 79 because that is unnecessary for this document.
The document adds synonyms to an existing protocol.

4. Other Points

There is still wide disagreement about the meaning of self-signed certificates
and what it means to be part of "PKIX". This disagreement comes from many WG
members' discussions of security with people who use IETF security
technologies, as well as some strong personal biases. The discussion in the WG
was mostly thoughtful even when it was forceful. Given this, it is likely
impossible to come up with names for the "certificate usage" that will make
even most people happy.