Re: [dnsop] Comments on draft-ietf-dnsop-key-rollover-requirements
Ben Laurie <ben@algroup.co.uk> Thu, 23 September 2004 09:23 UTC
Received: from darkwing.uoregon.edu (root@darkwing.uoregon.edu [128.223.142.13]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA25331 for <dnsop-archive@lists.ietf.org>; Thu, 23 Sep 2004 05:23:16 -0400 (EDT)
Received: from darkwing.uoregon.edu (majordom@localhost [127.0.0.1]) by darkwing.uoregon.edu (8.12.11/8.12.11) with ESMTP id i8N7wJHt021117; Thu, 23 Sep 2004 00:58:19 -0700 (PDT)
Received: (from majordom@localhost) by darkwing.uoregon.edu (8.12.11/8.12.11/Submit) id i8N7wJxI021116; Thu, 23 Sep 2004 00:58:19 -0700 (PDT)
Received: from scuzzy.ben.algroup.co.uk (dsl-217-155-92-105.zen.co.uk [217.155.92.105]) by darkwing.uoregon.edu (8.12.11/8.12.11) with ESMTP id i8N7wH6H021094 for <dnsop@lists.uoregon.edu>; Thu, 23 Sep 2004 00:58:18 -0700 (PDT)
Received: from [193.133.15.218] (ben-xp2.ben.algroup.co.uk [193.133.15.218]) by scuzzy.ben.algroup.co.uk (Postfix) with ESMTP id EFE6E1FF888; Thu, 23 Sep 2004 07:58:15 +0000 (GMT)
Message-ID: <4152821A.10002@algroup.co.uk>
Date: Thu, 23 Sep 2004 08:58:18 +0100
From: Ben Laurie <ben@algroup.co.uk>
User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Olaf M. Kolkman" <olaf@ripe.net>
Cc: gilles.guette@irisa.fr, dnsop@lists.uoregon.edu, olivier.courtay@thomson.net
Subject: Re: [dnsop] Comments on draft-ietf-dnsop-key-rollover-requirements
References: <20040907142552.75b9f1dc.olaf@ripe.net>
In-Reply-To: <20040907142552.75b9f1dc.olaf@ripe.net>
X-Enigmail-Version: 0.86.1.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-dnsop@lists.uoregon.edu
Precedence: bulk
Reply-To: Ben Laurie <ben@algroup.co.uk>
Content-Transfer-Encoding: 7bit
Olaf M. Kolkman wrote: > I hope that other WG participants look at this draft as well. As requested, I've just been through it. Comments below... Generally: there's no mention of what keys will be used to authenticate key rollover. I would say that it should be a requirement that these are _not_ the same as any of the KSKs or ZSKs in use for signing the zone. There also should be, IMO, no way to automatically roll such keys, or you end up in an infinite regression. I'm also a little surprised that it is proposed to invent yet another mechanism for exchanging and authenticating keys when several exist already, such as OpenPGP or X.509. Why not reuse one of these? > 5. Emergency Rollover This section appears to be suggesting that emergency rollover can be automated. Whilst this is true if the above requirements are adopted, it needs to be clear that if the rollover authentication keys have been compromised, some other mechanism MUST be used. Cheers, Ben. -- ApacheCon! 13-17 November! http://www.apachecon.com/ http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
- [dnsop] Comments on draft-ietf-dnsop-key-rollover… Olaf M. Kolkman
- Re: [dnsop] Comments on draft-ietf-dnsop-key-roll… Francis Dupont
- Re: [dnsop] Comments on draft-ietf-dnsop-key-roll… Gilles Guette
- Re: [dnsop] Comments on draft-ietf-dnsop-key-roll… Ben Laurie