[dnssec-deployment] Fwd: New Version Notification for draft-faltstrom-root-trust-anchor-validation-00
marc.blanchet at viagenie.ca
Wed Apr 8 11:29:02 EDT 2009
Patrik Fältström a écrit :
> On 8 apr 2009, at 17.16, Marc Blanchet wrote:
>> the draft says:
>> "Someone that receive such a signed TAR can verify the signatures"
>> how do I get the key to verify the signature(s)?
> For example, I presume you have some stuff already in the operating
> system you have installed from Microsoft and Apple. They sign their
> updates, and somewhere -- possibly without knowing about it -- you have
> a key that makes it possible for you to trust it.
> Or, you have the key in some other way, like an X.509 cert that you
> already have from some CA, or a PGP key from your favorite friend. Or,
> the PGP key of the TAR, or the PGP key of the auditor that is used
> formally to audit the process.
>> in a way that I can trust that key?
>> is this just moving the problem somewhere else?
> Yes, it does, but it moves the problem in potentially many directions.
> You can trust whoever you have the easiest to trust while I use whoever
> I want to trust.
ok. Therefore, the requirement of this draft is that:
- there is already some pre-established trust to some signing key used
for signing the TAR.
- the level of "security" of that solution depends on that
I think the draft should state that pretty clear at the beginning.
Now, how do we deploy this out-of-band key and trust to the guys who
need to put this into validating resolvers? Shall we have pgp key
signing parties within the appropriate community? I think there should
be some text on these issues as well.
(pls take these as constructive comments...)
>> I guess I'm missing something.
>> Patrik Fältström a écrit :
>>> I just wanted you all to know about this. It is nothing special at all,
>>> but rather something Jakob and I had to "just" write down as we where
>>> both involved in tons of discussions on how to distribute the public
>>> part of the KSK. For us it was simple. "Just" sign it with PGP or
>>> whatever. And anyone can sign it and redistribute it after they know
>>> what they sign is the right data.
>>> But we got so many questions we wrote it down.
>>> Begin forwarded message:
>>>> From: IETF I-D Submission Tool <idsubmission at ietf.org>
>>>> Date: on 8 apr 2009 14.54.58 GMT+02:00
>>>> To: paf at cisco.com
>>>> Cc: jakob at kirei.se
>>>> Subject: New Version Notification for
>>>> A new version of I-D,
>>>> draft-faltstrom-root-trust-anchor-validation-00.txt has been
>>>> successfuly submitted by Patrik Faltstrom and posted to the IETF
>>>> Filename: draft-faltstrom-root-trust-anchor-validation
>>>> Revision: 00
>>>> Title: Validation of the root trust anchor for the DNS
>>>> Creation_date: 2009-04-08
>>>> WG ID: Independent Submission
>>>> Number_of_pages: 6
>>>> This document describes practical requirements and needs for
>>>> automatic validation of the root trust anchor for the DNS. It also
>>>> proposes a mechanism using PGP and/or S/MIME that can be used to
>>>> fulfil the requirements.
>>>> The IETF Secretariat.
>> IPv6 book: Migrating to IPv6, Wiley. http://www.ipv6book.ca
>> Stun/Turn server for VoIP NAT-FW traversal: http://numb.viagenie.ca
>> DTN news service: http://reeves.viagenie.ca
IPv6 book: Migrating to IPv6, Wiley. http://www.ipv6book.ca
Stun/Turn server for VoIP NAT-FW traversal: http://numb.viagenie.ca
DTN news service: http://reeves.viagenie.ca
More information about the Dnssec-deployment