[dnssec-deployment] Fwd: New Version Notification for draft-faltstrom-root-trust-anchor-validation-00
Patrik Fältström
patrik at frobbit.se
Wed Apr 8 12:25:29 EDT 2009
On 8 apr 2009, at 17.29, Marc Blanchet wrote:
> ok. Therefore, the requirement of this draft is that:
> - there is already some pre-established trust to some signing key used
> for signing the TAR.
> - the level of "security" of that solution depends on that
> pre-established trust.
>
> I think the draft should state that pretty clear at the beginning.
Ok, I understand what you want. The only thing is that that pre-
established trust might not be pre-established 2001 or so. But what
you say is that we more explicitly should point out that this "other"
trust is not part of the "formal" DNSSEC trust chain(s). It is "some
other kind of trust".
> Now, how do we deploy this out-of-band key and trust to the guys who
> need to put this into validating resolvers? Shall we have pgp key
> signing parties within the appropriate community?
Possibly...
> I think there should be some text on these issues as well.
Yes, maybe even other documents!
Start writing+hacking!
> (pls take these as constructive comments...)
I do!
Patrik
> Marc.
>
>
>> Patrik
>>
>>> I guess I'm missing something.
>>>
>>> Marc.
>>>
>>> Patrik Fältström a écrit :
>>>> I just wanted you all to know about this. It is nothing special
>>>> at all,
>>>> but rather something Jakob and I had to "just" write down as we
>>>> where
>>>> both involved in tons of discussions on how to distribute the
>>>> public
>>>> part of the KSK. For us it was simple. "Just" sign it with PGP or
>>>> whatever. And anyone can sign it and redistribute it after they
>>>> know
>>>> what they sign is the right data.
>>>>
>>>> Right?
>>>>
>>>> But we got so many questions we wrote it down.
>>>>
>>>> Patrik
>>>>
>>>> Begin forwarded message:
>>>>
>>>>> From: IETF I-D Submission Tool <idsubmission at ietf.org>
>>>>> Date: on 8 apr 2009 14.54.58 GMT+02:00
>>>>> To: paf at cisco.com
>>>>> Cc: jakob at kirei.se
>>>>> Subject: New Version Notification for
>>>>> draft-faltstrom-root-trust-anchor-validation-00
>>>>>
>>>>>
>>>>> A new version of I-D,
>>>>> draft-faltstrom-root-trust-anchor-validation-00.txt has been
>>>>> successfuly submitted by Patrik Faltstrom and posted to the IETF
>>>>> repository.
>>>>>
>>>>> Filename: draft-faltstrom-root-trust-anchor-validation
>>>>> Revision: 00
>>>>> Title: Validation of the root trust anchor for the DNS
>>>>> Creation_date: 2009-04-08
>>>>> WG ID: Independent Submission
>>>>> Number_of_pages: 6
>>>>>
>>>>> Abstract:
>>>>> This document describes practical requirements and needs for
>>>>> automatic validation of the root trust anchor for the DNS. It
>>>>> also
>>>>> proposes a mechanism using PGP and/or S/MIME that can be used to
>>>>> fulfil the requirements.
>>>>>
>>>>>
>>>>>
>>>>> The IETF Secretariat.
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> =========
>>> IPv6 book: Migrating to IPv6, Wiley. http://www.ipv6book.ca
>>> Stun/Turn server for VoIP NAT-FW traversal: http://numb.viagenie.ca
>>> DTN news service: http://reeves.viagenie.ca
>>>
>>>
>>
>
>
> --
> =========
> IPv6 book: Migrating to IPv6, Wiley. http://www.ipv6book.ca
> Stun/Turn server for VoIP NAT-FW traversal: http://numb.viagenie.ca
> DTN news service: http://reeves.viagenie.ca
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20090408/e6797b03/attachment.bin
More information about the Dnssec-deployment
mailing list