[dnssec-deployment] SEPs and TARs

Mark Andrews Mark_Andrews at isc.org
Thu Apr 2 16:06:46 EDT 2009 

In message <list-17543649 at execdsl.com>, Matthijs Mekking writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Mark Andrews schreef:
> >> 	Key scrapings can never be a "TAR" because only the owner
> >> 	of the zone can declare that a key is being managed as a
> >> 	"trust anchor" rather than as a plain SEP.  "trust anchors"
> >> 	have additional constaints above and beyond those of a plain
> >> 	SEP.
> 
> The point is, that TAR is a conceptual term, not (yet) defined
> precisely. Apparently, it is not clear to everyone what exactly a TAR is
> or not. I think the paper at:
> 
> 	http://www.dnssec-deployment.org/tar/
> 
> describes a TAR properly. Whether it is a key scraping TAR or a
> registration-based TAR, they are both TARs but differ in architecture.
> Unfortunately, the opinions in the BarBOF differ from what this paper
> states.

	Key scrapings can NEVER be a TAR because there is no way
	for the scraper to know whether a DNSKEY that is scraped
	is supposed to be used as a "trust anchor".
 
> Let's not redefine TAR. If there is a new need for "Registration-based"
> TAR, create a new term. Whether you call it AVATAR, CAT or DOG. Just
> make sure that the definition is clear.

	I'm not redefining a TAR.  A TAR is a collection of "trust
	anchors".  The keys that are scraped may or may not be
	supposed to be "trust anchors".  If you scrape the wrong
	key then you will have times where the "faux trust anchor"
	will cause validation to break even though it works most
	of the time.

	Mark
 
> Matthijs
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iQEVAwUBSdRxHA8yVCPsQCW5AQLKhAgAsV2n4AD1QhsqvqpUddtmuj3uMq98TGC8
> 29+ITLFmm6lafnbFlERHZp+Ap2sfNjou8Th/DdbevpY6OEziM93JXD8oxBJ6s+SF
> /9aHo2fD/dpYZOuTZhGlTqnESZ0VuuAECsH3j3o4OdniTIc8h2ukvCMNw7ZWao6V
> gDCykK4ZdblcWML8e/Su/nHNZBG8ScVJunQXxDS8m5QtPkSKalIITUCuq4w2itfV
> lZuSmEycq6pEyOkrM6IzH0orly9GAXRNVxXVUGzuemryWuq1DSOpeQChPA4jmJyF
> yPIWDV7nadHNSswV/z/AXpGTaI+kWdZWv6OidE+E0G2sLXGjEqpTfg==
> =zT2K
> -----END PGP SIGNATURE-----
> 
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/Lists/dnss
> ec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the Dnssec-deployment mailing list