IETF Logo Mail Archive

Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08

Stephen Kent <kent@bbn.com> Wed, 18 July 2012 15:54 UTC

Return-Path: <kent@bbn.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BEBF21F8737; Wed, 18 Jul 2012 08:54:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.482
X-Spam-Level:
X-Spam-Status: No, score=-106.482 tagged_above=-999 required=5 tests=[AWL=0.117, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id unpnxIXVWj4v; Wed, 18 Jul 2012 08:54:53 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id F082521F8736; Wed, 18 Jul 2012 08:54:52 -0700 (PDT)
Received: from dhcp89-089-116.bbn.com ([128.89.89.116]:49414) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1SrWb2-000DuU-Ld; Wed, 18 Jul 2012 11:55:28 -0400
Message-ID: <5006DC70.7000500@bbn.com>
Date: Wed, 18 Jul 2012 11:55:28 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: jabley@hopcount.ca, russ housley <housley@vigilsec.com>, Peter Yee <peter@akayla.com>, ietf@ietf.org, gen-art@ietf.org, draft-ietf-dnsop-dnssec-dps-framework.all@tools.ietf.org
References: <003c01cd6225$6f4cab60$4de60220$@akayla.com> <72D7767E-8AE5-4A91-BE2C-4A949997C5CA@vigilsec.com> <29BF6AF1-3924-42F0-B8BD-1B1250CAECD6@hopcount.ca> <57D81A5A-B80B-4DC1-87FE-450E91A01A20@vigilsec.com> <5AAD9253-F597-4B57-9BA8-C067B3E3839D@hopcount.ca> <E0BFBA85-85C2-46BA-8406-99990C204295@vigilsec.com>
In-Reply-To: <E0BFBA85-85C2-46BA-8406-99990C204295@vigilsec.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 15:54:53 -0000

Joe
>> You're right, I did miss your point, quite thoroughly :-)
>>
>> I am guessing that the answer is that there's no corresponding facility in DNSSEC to for a policy identifier to be published with a DNSKEY RR, but I say that largely ignorant of X.509 and attendant CA policy and hence perhaps am still misunderstanding what you're looking for.

In X.509 each cert can contain a policy OID that indicates the policy 
under which the cert was issued. Thus, when a CA changes it's policy it 
can issue certs under the new policy with the new policy OID. This makes 
it clear to relying parties what policy is in effect, and when a CA 
changes its policy, irrespective of
other changes, e.g., key rollover.

Steve

v2.23.0 | Report a Bug | By Email