IETF Logo Mail Archive

Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08

Russ Housley <housley@vigilsec.com> Wed, 18 July 2012 15:48 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF4B721F8567; Wed, 18 Jul 2012 08:48:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.721
X-Spam-Level:
X-Spam-Status: No, score=-102.721 tagged_above=-999 required=5 tests=[AWL=-0.122, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xZIFIXao2wOF; Wed, 18 Jul 2012 08:48:17 -0700 (PDT)
Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by ietfa.amsl.com (Postfix) with ESMTP id 7A76121F8557; Wed, 18 Jul 2012 08:48:13 -0700 (PDT)
Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id 9E07BF24043; Wed, 18 Jul 2012 11:49:17 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id zzLMuwVCjBgh; Wed, 18 Jul 2012 11:48:59 -0400 (EDT)
Received: from [192.168.2.100] (pool-96-255-37-162.washdc.fios.verizon.net [96.255.37.162]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id C74BCF2403F; Wed, 18 Jul 2012 11:49:16 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <5AAD9253-F597-4B57-9BA8-C067B3E3839D@hopcount.ca>
Date: Wed, 18 Jul 2012 11:49:02 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <E0BFBA85-85C2-46BA-8406-99990C204295@vigilsec.com>
References: <003c01cd6225$6f4cab60$4de60220$@akayla.com> <72D7767E-8AE5-4A91-BE2C-4A949997C5CA@vigilsec.com> <29BF6AF1-3924-42F0-B8BD-1B1250CAECD6@hopcount.ca> <57D81A5A-B80B-4DC1-87FE-450E91A01A20@vigilsec.com> <5AAD9253-F597-4B57-9BA8-C067B3E3839D@hopcount.ca>
To: Joe Abley <jabley@hopcount.ca>
X-Mailer: Apple Mail (2.1084)
Cc: gen-art@ietf.org, ietf@ietf.org, draft-ietf-dnsop-dnssec-dps-framework.all@tools.ietf.org
Subject: Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 15:48:17 -0000

Joe:

>> I think you missed my point.  In a PKI, when the issuer significantly changes the policy, subsequent certificates have a different policy identifier.  I do not see a similar concept here.
> 
> You're right, I did miss your point, quite thoroughly :-)
> 
> I am guessing that the answer is that there's no corresponding facility in DNSSEC to for a policy identifier to be published with a DNSKEY RR, but I say that largely ignorant of X.509 and attendant CA policy and hence perhaps am still misunderstanding what you're looking for. 

So a DNSSEC signer starts under one set of documents, and then for whatever reason, the policy changes and the parties validating the signature have no means to determine that the signer is following a new policy.  So I am missing the value of the policy to the parties that rely on these signatures.

Russ

v2.23.0 | Report a Bug | By Email