Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt
Paul Wouters <paul@xelerance.com> Thu, 21 January 2010 17:52 UTC
Return-Path: <paul@xelerance.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 21F9E3A6AB8 for <dnsop@core3.amsl.com>; Thu, 21 Jan 2010 09:52:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.599
X-Spam-Level:
X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[AWL=-2.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DqPJBY0pBH9J for <dnsop@core3.amsl.com>; Thu, 21 Jan 2010 09:52:54 -0800 (PST)
Received: from newtla.xelerance.com (newtla.xelerance.com [193.110.157.143]) by core3.amsl.com (Postfix) with ESMTP id CF1383A6A21 for <dnsop@ietf.org>; Thu, 21 Jan 2010 09:52:53 -0800 (PST)
Received: from tla.xelerance.com (tla.xelerance.com [193.110.157.130]) by newtla.xelerance.com (Postfix) with ESMTP id D22C4571B3; Thu, 21 Jan 2010 12:52:47 -0500 (EST)
Date: Thu, 21 Jan 2010 12:52:47 -0500
From: Paul Wouters <paul@xelerance.com>
To: Olaf Kolkman <olaf@NLnetLabs.nl>
In-Reply-To: <59A58419-FDBD-4810-B2FA-0D293FFA00A5@NLnetLabs.nl>
Message-ID: <alpine.LFD.1.10.1001211245180.12114@newtla.xelerance.com>
References: <200904282021.n3SKL3sg051528@givry.fdupont.fr> <59A58419-FDBD-4810-B2FA-0D293FFA00A5@NLnetLabs.nl>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dnsop-rfc4641bis-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2010 17:52:55 -0000
On Thu, 21 Jan 2010, Olaf Kolkman wrote: > In trying to get a reasonable version 2 out of the door before Anaheim I am trying to identify and where possibly close open issues. > > As a reminder: http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/ has the open issues listed and a per issue highlight of their history. I still don't see any recommendations regarding NSEC vs NSEC3. I mailed you some comments about two IETF's ago I believe. Do you still have that email, or should I try to dig it out? > This thread, about the use of HSMs, is captured in http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/HSMs the content of that page is replicated below. That looks fine to me. Perhaps clarify that the "someone" who could make a copy of your key could be the zone operator, and that in some situations you might want to trust the zone administrator with the ZSK, allow him to use the HSM based KSK, but not give him access to read or copy the private key of the KSK. This would allow one to keep using the KSK even after a zone administrator has left the organisation. Paul
- [DNSOP] I-D Action:draft-ietf-dnsop-rfc4641bis-01… Internet-Drafts
- Re: [DNSOP] I-D Action:draft-ietf-dnsop-rfc4641bi… Shane Kerr
- Re: [DNSOP] I-D Action:draft-ietf-dnsop-rfc4641bi… Edward Lewis
- Re: [DNSOP] I-D Action:draft-ietf-dnsop-rfc4641bi… Florian Weimer
- [DNSOP] HSMs was Re: I-D Action:draft-ietf-dnsop-… Edward Lewis
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Stephane Bortzmeyer
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Edward Lewis
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Andrew Sullivan
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Shane Kerr
- [DNSOP] Key sizes was Re: I-D Action:draft-ietf-d… Paul Hoffman
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Edward Lewis
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Edward Lewis
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Hoffman
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Paul Wouters
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Paul Wouters
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Andrew Sullivan
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Shane Kerr
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Shane Kerr
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Edward Lewis
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Edward Lewis
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Hoffman
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Wouters
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Paul Wouters
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Shane Kerr
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Chris Thompson
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Hoffman
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Wouters
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Shane Kerr
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Wouters
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Hoffman
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Jelte Jansen
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Evan Hunt
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Edward Lewis
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Wouters
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Wouters
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Joe Abley
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Hoffman
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Joe Abley
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Hoffman
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Joe Abley
- Re: [DNSOP] Key sizes bmanning
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Hoffman
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Paul Wouters
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Ted Lemon
- Re: [DNSOP] Key sizes was Re: I-D Action:draft-ie… Joe Abley
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Peter Koch
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Edward Lewis
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Joe Abley
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Edward Lewis
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Paul Hoffman
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Francis Dupont
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Olaf Kolkman
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Richard Lamb
- Re: [DNSOP] HSMs was Re: I-D Action:draft-ietf-dn… Paul Wouters
- [DNSOP] rfc4641bis: NSEC vs NSEC3. Olaf Kolkman
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Mark Andrews
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Olaf Kolkman
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Edward Lewis
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Olafur Gudmundsson
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Matt Larson
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. bmanning
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Olaf Kolkman
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Olaf Kolkman
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. W.C.A. Wijngaards
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Olafur Gudmundsson
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Andrew Sullivan
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Evan Hunt
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Olafur Gudmundsson
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Todd Glassey
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. John Dickinson
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Mark Andrews
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Eric Rescorla
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. W.C.A. Wijngaards
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. W.C.A. Wijngaards
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Evan Hunt
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Matt Larson
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Edward Lewis
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Eric Rescorla
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Evan Hunt
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Todd Glassey
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Eric Rescorla
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Andrew Sullivan
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Evan Hunt
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Eric Rescorla
- [DNSOP] threads having "jumped the shark" was Re:… Edward Lewis
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Jakob Schlyter
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Mark Andrews
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Mark Andrews
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Doug Barton
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Mark Andrews
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Mark Andrews
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Eric Rescorla
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Andrew Sullivan
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Mark Andrews
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Alex Bligh
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Doug Barton
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Florian Weimer
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Florian Weimer
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Olaf Kolkman
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Todd Glassey
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Nicholas Weaver
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Evan Hunt
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Roy Arends
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Doug Barton
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Paul Wouters
- Re: [DNSOP] rfc4641bis: NSEC vs NSEC3. Doug Barton