Re: I-D ACTION:draft-ietf-dnsext-ad-is-secure-02.txt
Edward Lewis <lewis@tislabs.com> Thu, 12 July 2001 19:17 UTC
Received: from psg.com (exim@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id PAA09673 for <dnsext-archive@lists.ietf.org>; Thu, 12 Jul 2001 15:17:41 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.31 #1) id 15KkmC-000CrW-00 for namedroppers-data@psg.com; Thu, 12 Jul 2001 11:01:24 -0700
Received: from rip.psg.com ([147.28.0.39] ident=exim) by psg.com with esmtp (Exim 3.31 #1) id 15KkmC-000CrQ-00 for namedroppers@ops.ietf.org; Thu, 12 Jul 2001 11:01:24 -0700
Received: from randy by rip.psg.com with local (Exim 3.30 #1) id 15KkmC-000G1s-00 for namedroppers@ops.ietf.org; Thu, 12 Jul 2001 11:01:24 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
From: Edward Lewis <lewis@tislabs.com>
To: ogud@ogud.com, brian.wellington@nominum.com
Cc: lewis@tislabs.com, namedroppers@ops.ietf.org
Subject: Re: I-D ACTION:draft-ietf-dnsext-ad-is-secure-02.txt
In-Reply-To: <200106221111.HAA15809@ietf.org>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Message-Id: <E15KkmC-000CrW-00@psg.com>
Date: Thu, 12 Jul 2001 11:01:24 -0700
Content-Transfer-Encoding: 7bit
Ref. section 2, the term "Authenticated" is used. I think you mean to say that the data has been verified via a temporally and cryptographically verified chain of trust back to a configured key. Authenticated is too broad a term, so you need to qualify it in this context or redefine it. Even if this is done in another document, you should reference that more explicitly. Now, for a open question. Authenitcated data presumably means that the chain was built according to some policy - e.g., RFC 300x. What will happen when the authenticating server uses a policy that is not strong enough for the resolver? Will there be a way to indicate the policy used? (This is also a question to folks wanting to research off-tree validation.) Finally - should it be more explicit that data in the additional section is not (never) checked? Is there a reason to always omit signatures from the additional section in this case? (Why provide them if they've been ignored?) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com You fly too often when ... the airport taxi is on speed-dial. Opinions expressed are property of my evil twin, not my employer. to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body.
- I-D ACTION:draft-ietf-dnsext-ad-is-secure-02.txt Internet-Drafts
- Re: I-D ACTION:draft-ietf-dnsext-ad-is-secure-02.… Brian Wellington
- Re: I-D ACTION:draft-ietf-dnsext-ad-is-secure-02.… Edward Lewis