[dnssec-key-tf] agreements on the use of the repository

On Sep 1, 2007, at 00:08, Joao Damas wrote:

> Correct. Something simple and trusted was my understanding and my  
> desire for this.
> A simple DNS zone that can be pulled would do the trick (with  
> additional local processing). Failing that, a well formatted text  
> file available through any of http, ftp, rsync, rss syndication on  
> a well known URI could cover this, I believe.

My preference would be for some sort of out of band means to  
distribute the keys, not the DNS. There could be other meta-data to  
distribute -- certificates for instance -- and access to the  
repository should require some sort of signed agreement IMO. These  
are hard to do if the keys are just dropped into the DNS somewhere.

> The important part of this exercise is to get some trust on the  
> data that is put into the repository, so I would prefer there to be  
> explicit agreement between the repository maintainers and the TLDs  
> whose keys are stored, so there is a chance for advance warning of  
> changes in publication methods, emergency rollover processes, etc.

IMO such an agreement is critical. It should also include the usual  
sorts of hold harmless provisions: this is a place for consenting  
adults, no promises or guarantees, etc, etc.

> In order to achieve this in a reasonable amount of time one would  
> probably need to craft very simple agreements that wouldn't require  
> lots of review by legal teams, so for instance, no party should try  
> to impose liablility on the other. That also means there must be  
> simple and clear "terms of usage" for the repository, towards its  
> users.

There should also be a provision for renewing these agreements, say  
on an annual basis, and a notice period so any party can walk away.  
Whoever provides the key repository needs to have a clear way of  
terminating the arrangement. Not just on technical or operational  
grounds but for something as simple as "we don't want to do this any  
more".