IETF Logo Mail Archive

Re: [dnsext] Advice sought on DNS file format for new RRs

Phillip Hallam-Baker <hallam@gmail.com> Mon, 22 November 2010 16:41 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 35B803A6AE4 for <dnsext@core3.amsl.com>; Mon, 22 Nov 2010 08:41:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.573
X-Spam-Level:
X-Spam-Status: No, score=-2.573 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fke7c8pbOf8A for <dnsext@core3.amsl.com>; Mon, 22 Nov 2010 08:41:46 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id B74EC3A6A97 for <dnsext@ietf.org>; Mon, 22 Nov 2010 08:41:45 -0800 (PST)
Received: by gyb13 with SMTP id 13so1615228gyb.31 for <dnsext@ietf.org>; Mon, 22 Nov 2010 08:42:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=X6yQZ4oubJufuviFmYQjcyEAINrp2cypQHZrkhz6zAM=; b=IEqt4AqBxZ5fpC6+kNvDcoD6v2UCN4VHclLmvBQFcuX2awdGmWphhYVE9hBuTg8cXG YqUQu7BwQw23vyg8WcjX/BJsHUgEMjv52Qh1xXdBUYnjmXunhgvRCAjS6zv0Q0zwAxO1 ocU3Igxgcf+Fq73Zjc3wLSGugoRqVOxSI/vHQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=qUFQL5QbYrcxkZcjDimhea06BEPdEBZHOJfrsG+SeTmUFne6NSzhJvwXiFO8g64Us4 gWHzWJA8/PioZciuIMELw5IEgFjcEzjp0z3IIYFXSygl9g3r2bEuwWidG3nOGPUrjxfO +hZ7eCKdT5zYVjVYqNbLvtY/v+XCgimBtsMfo=
MIME-Version: 1.0
Received: by 10.100.126.1 with SMTP id y1mr4191362anc.100.1290444160892; Mon, 22 Nov 2010 08:42:40 -0800 (PST)
Received: by 10.100.41.14 with HTTP; Mon, 22 Nov 2010 08:42:40 -0800 (PST)
In-Reply-To: <alpine.LSU.2.00.1011221603260.4075@hermes-2.csi.cam.ac.uk>
References: <AANLkTimBPLaFZQSbx8W7Dwy0r9SzHsrV-rA9yQU83sZw@mail.gmail.com> <20101119124127.GB8050@shinkuro.com> <AANLkTimX06RCm6_FJSe1mZ5nOi3OTRhh-1QGOtttPpR9@mail.gmail.com> <alpine.LSU.2.00.1011221603260.4075@hermes-2.csi.cam.ac.uk>
Date: Mon, 22 Nov 2010 11:42:40 -0500
Message-ID: <AANLkTik9tW+=cu4HAXDCM0JJV0b1n7Pq7=2oJz-hdJkS@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Tony Finch <dot@dotat.at>
Content-Type: multipart/alternative; boundary="0016e645b848d001fc0495a6f1ad"
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Advice sought on DNS file format for new RRs
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Nov 2010 16:41:47 -0000

I think that it is right that people will perform such checking, but to do
so on the basis of current CA issuing authorizations will lead to error.

When example.com changes from VeriSign to Comodo they would expect to change
their CAA record to revoke VeriSign's issue authorization immediately. They
would not want this to invalidate existing certificates.


Looking at the mechanics of Certificate management within enterprises, I
think it is going to be necessary for most sites to get their issue of certs
under control as a pre-condition for implementing client enforceable policy.

We had this experience with DKIM. It did not take as much time to write the
spec as people imagine. What really took the time was the fact that
deployment at the sites that mattered required a vast amount of effort to
catalog what was already deployed. From a technical standpoint, DKIM is very
easy to deploy, from an administrative standpoint it is really easy to
administer once it is installed. But going from not using DKIM to using DKIM
can require major changes to management processes and in some cases
centralization of concerns that had previously not been tracked at all.


That is why I think that we need to separate this part of the problem from
the rest and why I think we need a separate DNS RR.



On Mon, Nov 22, 2010 at 11:04 AM, Tony Finch <dot@dotat.at> wrote:

> On Fri, 19 Nov 2010, Phillip Hallam-Baker wrote:
> >
> > The community that is going to use the published information is about 50,
> > highly technical organizations who are only going to make use of the
> > information to effect additional validation checks within a precisely
> > calibrated legal process.
>
> I expect that whether you like it or not, people other than CAs are going
> to check the assertions in these records, and they are going to implement
> these checks in widely-deployed software.
>
> Tony.
> --
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO
> 7,
> DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR
> ROUGH. RAIN THEN FAIR. GOOD.
>



-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email