Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08

Russ Housley <housley@vigilsec.com> Tue, 17 July 2012 23:06 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A76721F85C2; Tue, 17 Jul 2012 16:06:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.696
X-Spam-Level:
X-Spam-Status: No, score=-102.696 tagged_above=-999 required=5 tests=[AWL=-0.097, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q7mmVLY+fkkT; Tue, 17 Jul 2012 16:05:58 -0700 (PDT)
Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by ietfa.amsl.com (Postfix) with ESMTP id CAEE821F85C0; Tue, 17 Jul 2012 16:05:58 -0700 (PDT)
Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id A41BAF2403F; Tue, 17 Jul 2012 19:07:04 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id muoVV8rOdrNG; Tue, 17 Jul 2012 19:06:45 -0400 (EDT)
Received: from [192.168.2.100] (pool-96-255-37-162.washdc.fios.verizon.net [96.255.37.162]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id BCF87F2403D; Tue, 17 Jul 2012 19:07:02 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <29BF6AF1-3924-42F0-B8BD-1B1250CAECD6@hopcount.ca>
Date: Tue, 17 Jul 2012 19:06:44 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <57D81A5A-B80B-4DC1-87FE-450E91A01A20@vigilsec.com>
References: <003c01cd6225$6f4cab60$4de60220$@akayla.com> <72D7767E-8AE5-4A91-BE2C-4A949997C5CA@vigilsec.com> <29BF6AF1-3924-42F0-B8BD-1B1250CAECD6@hopcount.ca>
To: Joe Abley <jabley@hopcount.ca>
X-Mailer: Apple Mail (2.1084)
Cc: gen-art@ietf.org, ietf@ietf.org, draft-ietf-dnsop-dnssec-dps-framework.all@tools.ietf.org
Subject: Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 23:06:00 -0000

Joe:

I think you missed my point.  In a PKI, when the issuer significantly changes the policy, subsequent certificates have a different policy identifier.  I do not see a similar concept here.

Russ


On Jul 16, 2012, at 6:33 PM, Joe Abley wrote:

> Hi Russ,
> 
> On 2012-07-15, at 11:39, Russ Housley wrote:
> 
>> Peter:
>> 
>> Thanks for the review.  I've not read this document yet, but you review raises a question in my mind.
>> 
>> If a DNSSEC policy or practice statement is revised or amended, what actions are needed make other aware of the change?
> 
> Each DPS contains these kinds of details. Guidance for how to write the corresponding DPS sections is included in this draft:
> 
> 4.2.  Publication and repositories
> 
>   The component describes the requirements for an entity to publish
>   information regarding its practices, public keys, the current status
>   of such keys together with details relating to the repositories in
>   which the information is held.  This may include the responsibilities
>   of publishing the DPS and of identifying documents that are not made
>   publicly available owing to their sensitive nature, e.g. security
>   controls, clearance procedures, or business information.
> 
> 4.2.1.  Repositories
> 
>   This subcomponent describes the repository mechanisms used for making
>   information available to the stakeholders, and may include:
> 
>   o  The locations of the repositories and the means by which they may
>      be accessed;
> 
>   o  An identification of the entity or entities that operate
>      repositories, such as a zone operator or a TLD Manager;
> 
>   o  Access control on published information objects.
> 
>   o  Any notification services which may be subscribed to by the
>      stakeholders;
> 
> 
> Joe
>