Re: [dnsext] Advice sought on DNS file format for new RRs
Phillip Hallam-Baker <hallam@gmail.com> Mon, 22 November 2010 16:41 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 35B803A6AE4 for <dnsext@core3.amsl.com>; Mon, 22 Nov 2010 08:41:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.573
X-Spam-Level:
X-Spam-Status: No, score=-2.573 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fke7c8pbOf8A for <dnsext@core3.amsl.com>; Mon, 22 Nov 2010 08:41:46 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by core3.amsl.com (Postfix) with ESMTP id B74EC3A6A97 for <dnsext@ietf.org>; Mon, 22 Nov 2010 08:41:45 -0800 (PST)
Received: by gyb13 with SMTP id 13so1615228gyb.31 for <dnsext@ietf.org>; Mon, 22 Nov 2010 08:42:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=X6yQZ4oubJufuviFmYQjcyEAINrp2cypQHZrkhz6zAM=; b=IEqt4AqBxZ5fpC6+kNvDcoD6v2UCN4VHclLmvBQFcuX2awdGmWphhYVE9hBuTg8cXG YqUQu7BwQw23vyg8WcjX/BJsHUgEMjv52Qh1xXdBUYnjmXunhgvRCAjS6zv0Q0zwAxO1 ocU3Igxgcf+Fq73Zjc3wLSGugoRqVOxSI/vHQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=qUFQL5QbYrcxkZcjDimhea06BEPdEBZHOJfrsG+SeTmUFne6NSzhJvwXiFO8g64Us4 gWHzWJA8/PioZciuIMELw5IEgFjcEzjp0z3IIYFXSygl9g3r2bEuwWidG3nOGPUrjxfO +hZ7eCKdT5zYVjVYqNbLvtY/v+XCgimBtsMfo=
MIME-Version: 1.0
Received: by 10.100.126.1 with SMTP id y1mr4191362anc.100.1290444160892; Mon, 22 Nov 2010 08:42:40 -0800 (PST)
Received: by 10.100.41.14 with HTTP; Mon, 22 Nov 2010 08:42:40 -0800 (PST)
In-Reply-To: <alpine.LSU.2.00.1011221603260.4075@hermes-2.csi.cam.ac.uk>
References: <AANLkTimBPLaFZQSbx8W7Dwy0r9SzHsrV-rA9yQU83sZw@mail.gmail.com> <20101119124127.GB8050@shinkuro.com> <AANLkTimX06RCm6_FJSe1mZ5nOi3OTRhh-1QGOtttPpR9@mail.gmail.com> <alpine.LSU.2.00.1011221603260.4075@hermes-2.csi.cam.ac.uk>
Date: Mon, 22 Nov 2010 11:42:40 -0500
Message-ID: <AANLkTik9tW+=cu4HAXDCM0JJV0b1n7Pq7=2oJz-hdJkS@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Tony Finch <dot@dotat.at>
Content-Type: multipart/alternative; boundary="0016e645b848d001fc0495a6f1ad"
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Advice sought on DNS file format for new RRs
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Nov 2010 16:41:47 -0000
I think that it is right that people will perform such checking, but to do so on the basis of current CA issuing authorizations will lead to error. When example.com changes from VeriSign to Comodo they would expect to change their CAA record to revoke VeriSign's issue authorization immediately. They would not want this to invalidate existing certificates. Looking at the mechanics of Certificate management within enterprises, I think it is going to be necessary for most sites to get their issue of certs under control as a pre-condition for implementing client enforceable policy. We had this experience with DKIM. It did not take as much time to write the spec as people imagine. What really took the time was the fact that deployment at the sites that mattered required a vast amount of effort to catalog what was already deployed. From a technical standpoint, DKIM is very easy to deploy, from an administrative standpoint it is really easy to administer once it is installed. But going from not using DKIM to using DKIM can require major changes to management processes and in some cases centralization of concerns that had previously not been tracked at all. That is why I think that we need to separate this part of the problem from the rest and why I think we need a separate DNS RR. On Mon, Nov 22, 2010 at 11:04 AM, Tony Finch <dot@dotat.at> wrote: > On Fri, 19 Nov 2010, Phillip Hallam-Baker wrote: > > > > The community that is going to use the published information is about 50, > > highly technical organizations who are only going to make use of the > > information to effect additional validation checks within a precisely > > calibrated legal process. > > I expect that whether you like it or not, people other than CAs are going > to check the assertions in these records, and they are going to implement > these checks in widely-deployed software. > > Tony. > -- > f.anthony.n.finch <dot@dotat.at> http://dotat.at/ > HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO > 7, > DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR > ROUGH. RAIN THEN FAIR. GOOD. > -- Website: http://hallambaker.com/
- [dnsext] Advice sought on DNS file format for new… Phillip Hallam-Baker
- Re: [dnsext] Advice sought on DNS file format for… bert hubert
- Re: [dnsext] Advice sought on DNS file format for… Andrew Sullivan
- Re: [dnsext] Advice sought on DNS file format for… Phillip Hallam-Baker
- Re: [dnsext] Advice sought on DNS file format for… Andrew Sullivan
- Re: [dnsext] Advice sought on DNS file format for… Phillip Hallam-Baker
- Re: [dnsext] Advice sought on DNS file format for… Michael Graff
- Re: [dnsext] Advice sought on DNS file format for… Phillip Hallam-Baker
- Re: [dnsext] Advice sought on DNS file format for… Olafur Gudmundsson
- Re: [dnsext] Advice sought on DNS file format for… Phillip Hallam-Baker
- Re: [dnsext] Advice sought on DNS file format for… Michael Graff
- Re: [dnsext] Advice sought on DNS file format for… Patrik Fältström
- Re: [dnsext] Advice sought on DNS file format for… Jeffrey A. Williams
- Re: [dnsext] Advice sought on DNS file format for… Tony Finch
- Re: [dnsext] Advice sought on DNS file format for… Phillip Hallam-Baker