[dnssec-deployment] Discussion document for 14 July 2004 meeting

[Edward Lewis]

I've been away for a while, and there's been mail already in reply to 
the original document, so I'd first say that I look forward to an 
updated version before making substantial comments.

But there are two comments I want to make against the original.

Referring to figure 1, that trusted anchors do not flow from servers. 
Name servers are not trusted points - that's why the data they hold 
and transmit is signed.  The source of the trust anchors will have to 
come from an entity not represented in figure 1 - authority key 
managers (the off-line place where keys are generated) or zone 
signing pieces.

The other comment is against the description of the CC.TRUST_ANCHOR. 
Trust anchors aren't the "starting point" for the authentication 
chain, but rather the end.  Verification begins with the data in hand 
and it's signature.  The signature record holds the name of the 
signer - the next link in the chain.  When the signer (key) is known 
as a trust anchor, you end the process.

That sounds minor, but it's the number one stumbling point for folks 
entering DNSSEC.  Validation is supposed to go from the data you want 
up to a point you trust, not start at a point you trust trying to 
find a way to trust the data you get.  The protocol points upward.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                            +1-703-227-9854
ARIN Research Engineer

"I can't go to Miami.  I'm expecting calls from telemarketers." -
Grandpa Simpson.