[DNSOP] draft-fanf-dnsop-trust-anchor-witnesses-00.txt

Tony Finch <dot@dotat.at> Thu, 13 February 2014 20:56 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id D079B1A045B for <dnsop@ietfa.amsl.com>; Thu, 13 Feb 2014 12:56:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 8OliSga2yMUQ for <dnsop@ietfa.amsl.com>; Thu, 13 Feb 2014 12:56:45 -0800 (PST)
Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f32]) by ietfa.amsl.com (Postfix) with ESMTP id 935601A04CC for <dnsop@ietf.org>; Thu, 13 Feb 2014 12:56:27 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([]:59709) by ppsw-32.csi.cam.ac.uk (smtp.hermes.cam.ac.uk []:25) with esmtpa (EXTERNAL:fanf2) id 1WE3Kb-0000Hq-1h (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 13 Feb 2014 20:56:25 +0000
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1WE3Kb-0005mT-Fd (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 13 Feb 2014 20:56:25 +0000
Date: Thu, 13 Feb 2014 20:56:25 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: dnsop@ietf.org
Message-ID: <alpine.LSU.2.00.1402132050440.18502@hermes-1.csi.cam.ac.uk>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/EXspj6PJyE8DllvhO9fc-U1uttk
Cc: Tony Finch <dot@dotat.at>
Subject: [DNSOP] draft-fanf-dnsop-trust-anchor-witnesses-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Feb 2014 20:56:49 -0000

There was some discussion last month about dispersing trust in the root.

This inspired me to write up a concrete proposal for the
quorum-of-witnesses idea that I have vaguely suggested several
times over the last few years.

All thoughts / suggestions / criticisms welcomed.

f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

---------- Forwarded message ----------
Date: Thu, 13 Feb 2014 12:50:35 -0800
From: internet-drafts@ietf.org
To: Tony Finch <dot@dotat.at>, Tony Finch <dot@dotat.at>
Subject: New Version Notification for

A new version of I-D, draft-fanf-dnsop-trust-anchor-witnesses-00.txt
has been successfully submitted by Tony Finch and posted to the
IETF repository.

Name:		draft-fanf-dnsop-trust-anchor-witnesses
Revision:	00
Title:		The WS resource record: dispersing trust in the DNSSEC root keys
Document date:	2014-02-13
Group:		Individual Submission
Pages:		11
URL:            http://www.ietf.org/internet-drafts/draft-fanf-dnsop-trust-anchor-witnesses-00.txt
Status:         https://datatracker.ietf.org/doc/draft-fanf-dnsop-trust-anchor-witnesses/
Htmlized:       http://tools.ietf.org/html/draft-fanf-dnsop-trust-anchor-witnesses-00

   At the moment the root DNSSEC key is a single point of trust and a
   single point of failure for the whole system.  This memo describes a
   mechanism for dispersing trust in the root key.  Witnesses vouch for
   the root trust anchor by publishing WS records in the DNS.
   Validators only update their root trust anchors if multiple witnesses
   agree.  The root-witnesses.arpa zone enables a validator to bootstrap
   trust when it has no working trust anchors other than its witnesses.

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat