IETF Logo Mail Archive

Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>

manning <bmanning@karoshi.com> Mon, 05 October 2015 18:38 UTC

Return-Path: <bmanning@karoshi.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7501F1B330B for <dnsop@ietfa.amsl.com>; Mon, 5 Oct 2015 11:38:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NO_DNS_FOR_FROM=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2LDAckZudz8k for <dnsop@ietfa.amsl.com>; Mon, 5 Oct 2015 11:38:16 -0700 (PDT)
Received: from vacation.karoshi.com (vacation.karoshi.com [198.32.6.68]) by ietfa.amsl.com (Postfix) with ESMTP id 35B2A1B32F2 for <dnsop@ietf.org>; Mon, 5 Oct 2015 11:37:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by vacation.karoshi.com (Postfix) with ESMTP id 77DCDC44F52; Mon, 5 Oct 2015 11:37:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at karoshi.com
Received: from vacation.karoshi.com ([127.0.0.1]) by localhost (vacation.karoshi.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sD1UayKubG3A; Mon, 5 Oct 2015 11:37:27 -0700 (PDT)
Received: from [192.168.0.4] (cpe-172-90-219-168.socal.res.rr.com [172.90.219.168]) by vacation.karoshi.com (Postfix) with ESMTPSA id EFA7DC44F48; Mon, 5 Oct 2015 11:37:19 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: text/plain; charset="windows-1252"
From: manning <bmanning@karoshi.com>
In-Reply-To: <CAKr6gn2HG9apg9Kz9wAk-mhyCFFXKk_ZthfwdMaU+daULarhsg@mail.gmail.com>
Date: Mon, 05 Oct 2015 11:37:00 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <1D129A2D-3CB2-488D-B28F-C5668002FAB8@karoshi.com>
References: <20150928114202.823.19868.idtracker@ietfa.amsl.com> <0E4AA958-7740-4602-A3CF-D2E481DBC15E@hopcount.ca> <20150928155325.GA63874@gaon.net> <20150929095301.32c3e6a3@casual> <13F1D87F-1C07-40EB-86B0-564C4109C9B0@virtualized.org> <1973252D-924F-4EF1-A38F-5EC01AD331F6@gmail.com> <FDD04DCC-59C5-41F5-8CAF-1EF31CD65A34@virtualized.org> <63E1E01E-C172-4A0F-B434-F796546BB657@gmail.com> <C4FA9FA6-76E3-4FF3-862B-C5C0DF75C761@kirei.se> <D1C15986-603E-4932-B551-0497638D9849@vpnc.org> <02869F43-87A4-4797-8FD3-276C02DF665D@kirei.se> <EEA946B1-8BF3-4AB7-99D2-4C8CDCCF0EC0@vpnc.org> <F412CE02-C0BA-425E-BBF9-3A40B2B5FEA7@vpnc.org> <9F52E6FC-E503-4E3A-9998-363BF514CC1A@hopcount.ca> <CAKr6gn2HG9apg9Kz9wAk-mhyCFFXKk_ZthfwdMaU+daULarhsg@mail.gmail.com>
To: George Michaelson <ggm@algebras.org>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/tHusbL1GLcA7R3X2ZXJlQzNU-YA>
Cc: dnsop WG <dnsop@ietf.org>, Joe Abley <jabley@hopcount.ca>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2015 18:38:52 -0000

Out of band was discussed very early on with DNSSEC.  John Gilmore and I talked about it at the INET’98 conference.
A problem is transitive trust.  At some point you leave the DNS trust hierarchy and have to trust assertions in a different trust domain.
Sometimes several other trust domains…  I think trying to bound the problem space into a single trust domain is prudent, if only because stepping outside that space is quite large and may not be wise for an IETF document.

That said, if the RZM folks don’t document how they handle transitive trust, I would be much more worried.

manning
bmanning@karoshi.com
PO Box 6151
Playa del Rey, CA 90296
310.322.8102






On 5October2015Monday, at 7:42, George Michaelson <ggm@algebras.org> wrote:

> every time I post a reply to a thread I think a million kittens (for herding) are born Joe, so it evens out. Here's another kitten to kill...
> 
> Something very left field for me, but I believe important, is that we need to also publish the out-of-band publication point of the trust material. 
> 
> I mentioned this to Joe some time ago and was very correctly told "out of scope" but I believe its nonsensical to exclude physical publication, eg in newspapers of record for at least 3 economies worldwide, of the hash of the public key as a standing event. 
> 
> In-band only has some issues for me, if we are talking about trust.
> 
> -George
> 
> On Mon, Oct 5, 2015 at 9:14 AM, Joe Abley <jabley@hopcount.ca> wrote:
> Hi Paul,
> 
> On 5 Oct 2015, at 9:52, Paul Hoffman wrote:
> 
> Given that the title and abstract of this document disagree with what many people here have said they want the document to discuss, if the WG adopts this work item, please adopt an exact description of what is wanted with the expectation that this draft could be changed to fit the description.
> 
> I still believe the description of the document people want is best done by ICANN because it is ICANN who can describe what the publication process is today.
> 
> I think we're conflating a couple of things that could perhaps be better considered separately.
> 
> 1. This document could be published by ICANN through the IETF if they want to make it part of the historical record (what we did in 2009/2010) and also provide a reference to current practice that is easier to find (and doesn't have DRAFT written all over it) than the current reference that I think is only buried within root-dnssec.org. There's precedent for this, see e.g. RFC 7108 which was published as an individual submission. If we followed the same path, we'd be looking at dnsop to review for clarity and accuracy, but we wouldn't be asking for adoption.
> 
> 2. The current draft was originally written by me as ICANN staff and Jakob as an ICANN contractor. If there's a need to add current ICANN staff to the author list to make it look more official, surely we could do that (as we did with 7108, actually, which was published after I left ICANN).
> 
> 3. If ICANN prefers not to see this draft published in the RFC series, then that's a good reason not to do it. The value in this document (wherever it is published) lies in it being real, which means we need ICANN's support, e.g. through references in the KSK maintainer's DPS. If that's the preference, let's hear so, clearly. Right now it's difficult to distinguish between individual contributors' opinions and the desires of the IANA Functions Operator.
> 
> 4. If there are elements in the current text that don't match current practice, then let's hear what they are. So far comments to that effect are causing some alarm, but without details it's hard to know what to do with them.
> 
> I am not advocating for any particular direction -- I'd just like to move this draft *somewhere*, whether that's towards the IESG or towards the garbage can of history. Every time we rev the doc without just to stop it expiring, another kitten dies.
> 
> 
> Joe
> 
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email