This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] revised text for NTIA response - v4
- Previous message (by thread): [dns-wg] revised text for NTIA response - v4
- Next message (by thread): [dns-wg] revised text for NTIA response - v4
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Thu Nov 6 13:01:20 CET 2008
On Thu, Nov 06, 2008 at 12:06:30PM +0100, Florian Weimer wrote: > > 10. The organization that generates the root zone file must sign the > > file and therefore must hold the private part of the zone signing key. > > > > or > > > > 10. The organization that generates the root zone file must have > > unfettered access to the zone signing key components. > > The second version seems to exclude storing the ZSK in an HSM. The > first version is more ambiguous. In both cases, I don't quite see > what the statement is supposed to mean. Does it advise against the > introduction of yet another layer of indirection, by requiring that > the organization which makes the final, technical content decision on > the root zone (the "generator") also creates the digital signatures? > > -- the first statement is an amplification ... the added text is "...and therefore..." eg. the org must hold the private key if it is going to sign the zone. the second actually does no preclude an HSM, but does acknowledge the NoI requirement that the administrator must have access to the signing keys (both K&Z, public and private). --bill
- Previous message (by thread): [dns-wg] revised text for NTIA response - v4
- Next message (by thread): [dns-wg] revised text for NTIA response - v4
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]