Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08

Joe Abley <jabley@hopcount.ca> Tue, 17 July 2012 23:31 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A90F11E80E7; Tue, 17 Jul 2012 16:31:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.996
X-Spam-Level:
X-Spam-Status: No, score=-101.996 tagged_above=-999 required=5 tests=[AWL=0.604, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ptMAfmIsgB+8; Tue, 17 Jul 2012 16:31:40 -0700 (PDT)
Received: from mail.hopcount.ca (mail.hopcount.ca [216.235.14.37]) by ietfa.amsl.com (Postfix) with ESMTP id 825F211E80E5; Tue, 17 Jul 2012 16:31:40 -0700 (PDT)
Received: from [2001:4900:1042:100:f4a1:1904:f7f4:e19a] by mail.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <jabley@hopcount.ca>) id 1SrHFa-0000qK-Ku; Tue, 17 Jul 2012 23:32:20 +0000
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <57D81A5A-B80B-4DC1-87FE-450E91A01A20@vigilsec.com>
Date: Tue, 17 Jul 2012 19:32:16 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <5AAD9253-F597-4B57-9BA8-C067B3E3839D@hopcount.ca>
References: <003c01cd6225$6f4cab60$4de60220$@akayla.com> <72D7767E-8AE5-4A91-BE2C-4A949997C5CA@vigilsec.com> <29BF6AF1-3924-42F0-B8BD-1B1250CAECD6@hopcount.ca> <57D81A5A-B80B-4DC1-87FE-450E91A01A20@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
X-Mailer: Apple Mail (2.1278)
Cc: gen-art@ietf.org, ietf@ietf.org, draft-ietf-dnsop-dnssec-dps-framework.all@tools.ietf.org
Subject: Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 23:31:41 -0000

Hi Russ,

On 2012-07-17, at 19:06, Russ Housley wrote:

> I think you missed my point.  In a PKI, when the issuer significantly changes the policy, subsequent certificates have a different policy identifier.  I do not see a similar concept here.

You're right, I did miss your point, quite thoroughly :-)

I am guessing that the answer is that there's no corresponding facility in DNSSEC to for a policy identifier to be published with a DNSKEY RR, but I say that largely ignorant of X.509 and attendant CA policy and hence perhaps am still misunderstanding what you're looking for. 


Joe