[dnssec-deployment] Fwd: New Version Notification for draft-faltstrom-root-trust-anchor-validation-00
Marc Blanchet
marc.blanchet at viagenie.ca
Wed Apr 8 12:28:19 EDT 2009
Patrik Fältström a écrit :
> On 8 apr 2009, at 17.29, Marc Blanchet wrote:
>
>> ok. Therefore, the requirement of this draft is that:
>> - there is already some pre-established trust to some signing key used
>> for signing the TAR.
>> - the level of "security" of that solution depends on that
>> pre-established trust.
>>
>> I think the draft should state that pretty clear at the beginning.
>
> Ok, I understand what you want. The only thing is that that
> pre-established trust might not be pre-established 2001 or so. But what
> you say is that we more explicitly should point out that this "other"
> trust is not part of the "formal" DNSSEC trust chain(s). It is "some
> other kind of trust".
- right.
- and the possible consequences/issues/concerns/impacts/... of such
"other web of trust".
Marc.
>
>> Now, how do we deploy this out-of-band key and trust to the guys who
>> need to put this into validating resolvers? Shall we have pgp key
>> signing parties within the appropriate community?
>
> Possibly...
>
>> I think there should be some text on these issues as well.
>
> Yes, maybe even other documents!
>
> Start writing+hacking!
>
>> (pls take these as constructive comments...)
>
> I do!
>
> Patrik
>
>> Marc.
>>
>>
>>> Patrik
>>>
>>>> I guess I'm missing something.
>>>>
>>>> Marc.
>>>>
>>>> Patrik Fältström a écrit :
>>>>> I just wanted you all to know about this. It is nothing special at
>>>>> all,
>>>>> but rather something Jakob and I had to "just" write down as we where
>>>>> both involved in tons of discussions on how to distribute the public
>>>>> part of the KSK. For us it was simple. "Just" sign it with PGP or
>>>>> whatever. And anyone can sign it and redistribute it after they know
>>>>> what they sign is the right data.
>>>>>
>>>>> Right?
>>>>>
>>>>> But we got so many questions we wrote it down.
>>>>>
>>>>> Patrik
>>>>>
>>>>> Begin forwarded message:
>>>>>
>>>>>> From: IETF I-D Submission Tool <idsubmission at ietf.org>
>>>>>> Date: on 8 apr 2009 14.54.58 GMT+02:00
>>>>>> To: paf at cisco.com
>>>>>> Cc: jakob at kirei.se
>>>>>> Subject: New Version Notification for
>>>>>> draft-faltstrom-root-trust-anchor-validation-00
>>>>>>
>>>>>>
>>>>>> A new version of I-D,
>>>>>> draft-faltstrom-root-trust-anchor-validation-00.txt has been
>>>>>> successfuly submitted by Patrik Faltstrom and posted to the IETF
>>>>>> repository.
>>>>>>
>>>>>> Filename: draft-faltstrom-root-trust-anchor-validation
>>>>>> Revision: 00
>>>>>> Title: Validation of the root trust anchor for the DNS
>>>>>> Creation_date: 2009-04-08
>>>>>> WG ID: Independent Submission
>>>>>> Number_of_pages: 6
>>>>>>
>>>>>> Abstract:
>>>>>> This document describes practical requirements and needs for
>>>>>> automatic validation of the root trust anchor for the DNS. It also
>>>>>> proposes a mechanism using PGP and/or S/MIME that can be used to
>>>>>> fulfil the requirements.
>>>>>>
>>>>>>
>>>>>>
>>>>>> The IETF Secretariat.
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> =========
>>>> IPv6 book: Migrating to IPv6, Wiley. http://www.ipv6book.ca
>>>> Stun/Turn server for VoIP NAT-FW traversal: http://numb.viagenie.ca
>>>> DTN news service: http://reeves.viagenie.ca
>>>>
>>>>
>>>
>>
>>
>> --
>> =========
>> IPv6 book: Migrating to IPv6, Wiley. http://www.ipv6book.ca
>> Stun/Turn server for VoIP NAT-FW traversal: http://numb.viagenie.ca
>> DTN news service: http://reeves.viagenie.ca
>>
>>
>
--
=========
IPv6 book: Migrating to IPv6, Wiley. http://www.ipv6book.ca
Stun/Turn server for VoIP NAT-FW traversal: http://numb.viagenie.ca
DTN news service: http://reeves.viagenie.ca
More information about the Dnssec-deployment
mailing list