IETF Logo Mail Archive

Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt

Paul Wouters <paul@xelerance.com> Thu, 21 January 2010 17:52 UTC

Return-Path: <paul@xelerance.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 21F9E3A6AB8 for <dnsop@core3.amsl.com>; Thu, 21 Jan 2010 09:52:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.599
X-Spam-Level:
X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[AWL=-2.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DqPJBY0pBH9J for <dnsop@core3.amsl.com>; Thu, 21 Jan 2010 09:52:54 -0800 (PST)
Received: from newtla.xelerance.com (newtla.xelerance.com [193.110.157.143]) by core3.amsl.com (Postfix) with ESMTP id CF1383A6A21 for <dnsop@ietf.org>; Thu, 21 Jan 2010 09:52:53 -0800 (PST)
Received: from tla.xelerance.com (tla.xelerance.com [193.110.157.130]) by newtla.xelerance.com (Postfix) with ESMTP id D22C4571B3; Thu, 21 Jan 2010 12:52:47 -0500 (EST)
Date: Thu, 21 Jan 2010 12:52:47 -0500
From: Paul Wouters <paul@xelerance.com>
To: Olaf Kolkman <olaf@NLnetLabs.nl>
In-Reply-To: <59A58419-FDBD-4810-B2FA-0D293FFA00A5@NLnetLabs.nl>
Message-ID: <alpine.LFD.1.10.1001211245180.12114@newtla.xelerance.com>
References: <200904282021.n3SKL3sg051528@givry.fdupont.fr> <59A58419-FDBD-4810-B2FA-0D293FFA00A5@NLnetLabs.nl>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2010 17:52:55 -0000

On Thu, 21 Jan 2010, Olaf Kolkman wrote:

> In trying to get a reasonable version 2 out of the door before Anaheim I am trying to identify and where possibly close open issues.
>
> As a reminder: http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/ has the open issues listed and a per issue highlight of their history.

I still don't see any recommendations regarding NSEC vs NSEC3. I mailed you
some comments about two IETF's ago I believe. Do you still have that email,
or should I try to dig it out?

> This thread, about the use of HSMs, is captured in http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/HSMs the content of that page is replicated below.

That looks fine to me. Perhaps clarify that the "someone" who could make a
copy of your key could be the zone operator, and that in some situations
you might want to trust the zone administrator with the ZSK, allow him to
use the HSM based KSK, but not give him access to read or copy the private
key of the KSK. This would allow one to keep using the KSK even after a
zone administrator has left the organisation.

Paul

v2.23.0 | Report a Bug | By Email