IETF Logo Mail Archive

Re: [dnsext] historal root keys for upgrade path?

Paul Wouters <paul@xelerance.com> Tue, 01 February 2011 03:19 UTC

Return-Path: <paul@xelerance.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AAA053A6833 for <dnsext@core3.amsl.com>; Mon, 31 Jan 2011 19:19:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.576
X-Spam-Level:
X-Spam-Status: No, score=-2.576 tagged_above=-999 required=5 tests=[AWL=0.023, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1dw3YbR-BluR for <dnsext@core3.amsl.com>; Mon, 31 Jan 2011 19:19:38 -0800 (PST)
Received: from newtla.xelerance.com (newtla.xelerance.com [193.110.157.143]) by core3.amsl.com (Postfix) with ESMTP id A7E863A67D3 for <dnsext@ietf.org>; Mon, 31 Jan 2011 19:19:38 -0800 (PST)
Received: from tla.xelerance.com (tla.xelerance.com [193.110.157.130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by newtla.xelerance.com (Postfix) with ESMTP id EC3D4C4FE; Mon, 31 Jan 2011 22:22:52 -0500 (EST)
Date: Mon, 31 Jan 2011 22:22:52 -0500
From: Paul Wouters <paul@xelerance.com>
To: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <A46E3BD6-8468-44B2-9A80-73845E53E170@hopcount.ca>
Message-ID: <alpine.LFD.1.10.1101312218490.22764@newtla.xelerance.com>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <17A80F45-52CB-43F6-BD4A-3488821F6933@hopcount.ca> <3A1DEE95-8C8E-4C89-97EB-6D8F799ADE25@virtualized.org> <583A62B0-0DBF-469A-AF8A-B81DEDD1E7E2@dotat.at> <86B1D38A-C274-4335-B30E-3C5C0DF05C38@hopcount.ca> <4D45DE93.9090508@vpnc.org> <AANLkTinbjRebooyqWMpZ2oTudruoDSGqgaXXr35WPYVH@mail.gmail.com> <AANLkTikiqe2K4S-dNsyQZ-xp71J4bM11SsahwpxfDKCX@mail.gmail.com> <4C747F08-A9E8-46E6-AE76-0A999A16D276@hopcount.ca> <AANLkTinOtx88vK3mz-w=uw1CnsKwm=c-nTDOsj=5JAPY@mail.gmail.com> <B4F822D3-F4D6-4657-B299-075B89B5CC86@hopcount.ca> <899F4D8E-2E75-44C3-A001-612582209C86@icsi.berkeley.edu> <63AEECED-2D62-4FC4-81C8-87464D37A72E@hopcount.ca> <AANLkTimKdySsgKLB8Q4fgPOGV5VO2Vgy7sXQBa3S9MoG@mail.gmail.com> <09DC661D-5974-44A4-BF58-E5152945B60B@hopcount.ca> <AANLkTi=9RKWJiv_oOaAMnW-eLZz1ZkbC4QO2VRoigoB7@mail.gmail.com> <A46E3BD6-8468-44B2-9A80-73845E53E170@hopcount.ca>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Cc: dnsext@ietf.org
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Feb 2011 03:19:39 -0000

On Mon, 31 Jan 2011, Joe Abley wrote:

> The proposal I posted doesn't establish a second root; it uses established ones

I do agree you are not only adding a second root. You are potentially adding many roots
by requiring one or more PKIX Certificate Agencies.

> (The proposal Dave and I posted seemed pretty simple to me: you pull an XML document using HTTP, then the certificates referred to by that XML doc and use one of the X.509 CA keys you already have to verify any one of them. Until you find a suitable cert, you operate without DNSSEC.)

This of course, mixes two different trust anchor schemes. DNSSEC should not depend on PKIX.

TALINK on the other end, does not depend on PKIX.

Paul

v2.23.0 | Report a Bug | By Email