[dnssec-deployment] Fwd: New Version Notification for draft-faltstrom-root-trust-anchor-validation-00
patrik at frobbit.se
Wed Apr 8 11:22:03 EDT 2009
On 8 apr 2009, at 17.16, Marc Blanchet wrote:
> the draft says:
> "Someone that receive such a signed TAR can verify the signatures"
> how do I get the key to verify the signature(s)?
For example, I presume you have some stuff already in the operating
system you have installed from Microsoft and Apple. They sign their
updates, and somewhere -- possibly without knowing about it -- you
have a key that makes it possible for you to trust it.
Or, you have the key in some other way, like an X.509 cert that you
already have from some CA, or a PGP key from your favorite friend. Or,
the PGP key of the TAR, or the PGP key of the auditor that is used
formally to audit the process.
> in a way that I can trust that key?
> is this just moving the problem somewhere else?
Yes, it does, but it moves the problem in potentially many directions.
You can trust whoever you have the easiest to trust while I use
whoever I want to trust.
> I guess I'm missing something.
> Patrik Fältström a écrit :
>> I just wanted you all to know about this. It is nothing special at
>> but rather something Jakob and I had to "just" write down as we where
>> both involved in tons of discussions on how to distribute the public
>> part of the KSK. For us it was simple. "Just" sign it with PGP or
>> whatever. And anyone can sign it and redistribute it after they know
>> what they sign is the right data.
>> But we got so many questions we wrote it down.
>> Begin forwarded message:
>>> From: IETF I-D Submission Tool <idsubmission at ietf.org>
>>> Date: on 8 apr 2009 14.54.58 GMT+02:00
>>> To: paf at cisco.com
>>> Cc: jakob at kirei.se
>>> Subject: New Version Notification for
>>> A new version of I-D,
>>> draft-faltstrom-root-trust-anchor-validation-00.txt has been
>>> successfuly submitted by Patrik Faltstrom and posted to the IETF
>>> Filename: draft-faltstrom-root-trust-anchor-validation
>>> Revision: 00
>>> Title: Validation of the root trust anchor for the DNS
>>> Creation_date: 2009-04-08
>>> WG ID: Independent Submission
>>> Number_of_pages: 6
>>> This document describes practical requirements and needs for
>>> automatic validation of the root trust anchor for the DNS. It also
>>> proposes a mechanism using PGP and/or S/MIME that can be used to
>>> fulfil the requirements.
>>> The IETF Secretariat.
> IPv6 book: Migrating to IPv6, Wiley. http://www.ipv6book.ca
> Stun/Turn server for VoIP NAT-FW traversal: http://numb.viagenie.ca
> DTN news service: http://reeves.viagenie.ca
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20090408/11f08576/attachment.bin
More information about the Dnssec-deployment