Re: [DNSOP] [Ext] Re: I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-01.txt
Andrew Sullivan <ajs@anvilwalrusden.com> Thu, 01 June 2017 15:35 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DE9C129557 for <dnsop@ietfa.amsl.com>; Thu, 1 Jun 2017 08:35:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=D/uBPvDT; dkim=pass (1024-bit key) header.d=yitter.info header.b=RFnTlUVM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oToeirsqV8-v for <dnsop@ietfa.amsl.com>; Thu, 1 Jun 2017 08:35:30 -0700 (PDT)
Received: from mx4.yitter.info (mx4.yitter.info [159.203.56.111]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7CE5129549 for <dnsop@ietf.org>; Thu, 1 Jun 2017 08:35:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx4.yitter.info (Postfix) with ESMTP id 27BF2BE228 for <dnsop@ietf.org>; Thu, 1 Jun 2017 15:35:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1496331300; bh=MbFe0Us9e1CHm2Ju0hluc6dgGNTBN2bbE3GpKhSe6kI=; h=Date:From:To:Subject:References:In-Reply-To:From; b=D/uBPvDTTjTsgId2NuVh0M1e25ed2bQ3/fE7X9GadMlF+Gxkhm2Mx+ftutrw83mDW XPfT1MJHbsUFDgbuG3rORe7I6vEwvK77Lj7f5Nt4uh0pBwW0ZhZq9SUWYvdIVAXxou enmyxYzuY4IoULWIqhpU6T1aIfwuRosbiK6cUuks=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx4.yitter.info ([127.0.0.1]) by localhost (mx4.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4WqHUCQfTwDk for <dnsop@ietf.org>; Thu, 1 Jun 2017 15:34:58 +0000 (UTC)
Date: Thu, 01 Jun 2017 11:34:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1496331298; bh=MbFe0Us9e1CHm2Ju0hluc6dgGNTBN2bbE3GpKhSe6kI=; h=Date:From:To:Subject:References:In-Reply-To:From; b=RFnTlUVM+unnKl7e5sE0sriUPwKnIysP2s4RQQm8qgl57AkznBGLFbTgmk5xI8qSl JUawUN0DVX3uS2E2XXanA1U3He9Jq3fxy5hRBa56kaIsDLJge/pEy2A+EVHHSpBlMO OxHL/ebObGhctunCZ/TgHH5fG5g4rhGgBo6zViN8=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20170601153456.n3brxhimjrgq2kip@mx4.yitter.info>
References: <149560445570.28419.14767177653896917226@ietfa.amsl.com> <33126a41-8fb6-b2d9-8d1d-2d6a9a8cf0d5@comcast.net> <ybl60gq9bq2.fsf@wu.hardakers.net> <8AF24B97-BB51-4A1C-8FF2-C53B32552ACA@vpnc.org> <401caf02-5631-de42-489c-8ca3346456a4@nthpermutation.com> <20170526015222.C1FE979B8C4F@rock.dv.isc.org> <2e27b3d9-04f7-c063-1b3a-699a41fa32df@nthpermutation.com> <B5F083EA-D82F-4502-AF3B-46CF46089203@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <B5F083EA-D82F-4502-AF3B-46CF46089203@icann.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/SlpEmr0rCCJp6Qzsj782y4EEtN4>
Subject: Re: [DNSOP] [Ext] Re: I-D Action: draft-ietf-dnsop-rfc5011-security-considerations-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jun 2017 15:35:32 -0000
On Wed, May 31, 2017 at 07:44:46PM +0000, Edward Lewis wrote: > I ask because of the issues raised in the thread regarding the number of keys assumed in the operation. Automated Updates apparently (to me) was defined with more than one active secure entry point in mind, but in practice, the only operating example I've witnessed of Automated Updates relies on a single active secure entry point. > Remember that when DNSEXT selected the TA rollover mechanism, many of us believed that signing the root was a pipe dream akin to the single trust anchor for the RPKI. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com
- [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-secu… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Michael StJohns
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Bob Harold
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Michael StJohns
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Wes Hardaker
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Mark Andrews
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-rfc5011-… Michael StJohns
- Re: [DNSOP] [Ext] Re: I-D Action: draft-ietf-dnso… Edward Lewis
- Re: [DNSOP] [Ext] Re: I-D Action: draft-ietf-dnso… Edward Lewis
- Re: [DNSOP] [Ext] Re: I-D Action: draft-ietf-dnso… Andrew Sullivan
- Re: [DNSOP] [Ext] Re: I-D Action: draft-ietf-dnso… Mark Andrews