[dnssec-key-tf] slides for the WG this afternoon
Johan Ihren
Wed Oct 24 15:32:14 CEST 2007
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> 1) "TAR should somehow reflect DNS hierarchy" >> Maybe I misread this, but I recall we were in agreement that >> the TAR >> should be inherently flat, i.e., TLD only (esp. given that ARPA >> will >> probably be signed soon) > > We were in agreement about that, but the bullet point was about > something else: namely that a TAR shouldn't diverge from the model > we have for managing the DNS or give rise to an alternate trust > hierarchy. So, being a latecomer to this, I have to question this decision. To me (being one of the people who were in favour of this when we discussed it in Tallinn) the whole point with this is to provide a useful service to reduce resolver side costs of acquiring multiple trusted keys for an increasing number of secure islands. Nowhere do I see a 1-1 mapping between such secure islands and TLDs. However, I do see that a plethora of third party key authentication services like this one will again raise the resolver side cost (which is what we want to avoid). I.e. if I go to RIPE NCC for TLD keys and to COMKEYS.FOO for keys for children of .COM and to a third place for other bits and pieces then we're getting back into doesn't-work-in-practice space. And the whole point of this exercise is to get OUT of that corner, not take a trip around the block and then return to it again. > Daniel had a good phrase for this which escapes me right now: > perhaps someone could jog my memory? > >> 2) "Need open publication format (XML-ish?) ..." >> Rather than mentioning the ultimate obvious format, perhaps you >> could >> loosely refer to IETF work going on in that area, which the TAR >> should >> take into consideration. Perhaps I'm missing something obvious here, but isn't the authentiction method much more important than the exact publication format? I.e. from my POV an arbitrary ASCII blob would work just fine as long as it is covered by a signature I choose to trust. Regards, Johan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iQCVAwUBRx9JYPotlDfa2H4ZAQIutwP/Ygqv22l9lttfKod98mjQKXYyi/IDfrPa xH7kyv7c9poOUtC/ke78FoOoJpyUJre4FzMqNuBvgjFhYP/A+PiAEGuUCr7YeSxK MmVECMEY4a4wv+xn0eT82BGQFYdzeDE/3RbbEuh2SQ234tOhl9uTF8vlkCrTdTud pL2MkaTlaGw= =UQI8 -----END PGP SIGNATURE-----