Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08

Joe Abley <jabley@hopcount.ca> Wed, 18 July 2012 18:08 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AAD521F8724; Wed, 18 Jul 2012 11:08:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.197
X-Spam-Level:
X-Spam-Status: No, score=-102.197 tagged_above=-999 required=5 tests=[AWL=0.402, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XpD+FE0CSn4J; Wed, 18 Jul 2012 11:08:46 -0700 (PDT)
Received: from mail.hopcount.ca (mail.hopcount.ca [216.235.14.37]) by ietfa.amsl.com (Postfix) with ESMTP id 808F421F8720; Wed, 18 Jul 2012 11:08:46 -0700 (PDT)
Received: from [2001:4900:1042:100:61c9:41b8:e996:fc8c] by mail.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <jabley@hopcount.ca>) id 1SrYgj-000NDl-AP; Wed, 18 Jul 2012 18:09:30 +0000
Subject: Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <E0BFBA85-85C2-46BA-8406-99990C204295@vigilsec.com>
Date: Wed, 18 Jul 2012 14:09:26 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <D2FB5989-E220-4E00-A760-84C85C88A56E@hopcount.ca>
References: <003c01cd6225$6f4cab60$4de60220$@akayla.com> <72D7767E-8AE5-4A91-BE2C-4A949997C5CA@vigilsec.com> <29BF6AF1-3924-42F0-B8BD-1B1250CAECD6@hopcount.ca> <57D81A5A-B80B-4DC1-87FE-450E91A01A20@vigilsec.com> <5AAD9253-F597-4B57-9BA8-C067B3E3839D@hopcount.ca> <E0BFBA85-85C2-46BA-8406-99990C204295@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
X-Mailer: Apple Mail (2.1278)
Cc: Peter Yee <peter@akayla.com>, gen-art@ietf.org, ietf@ietf.org, draft-ietf-dnsop-dnssec-dps-framework.all@tools.ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 18:08:47 -0000

On 2012-07-18, at 11:49, Russ Housley wrote:

> So a DNSSEC signer starts under one set of documents, and then for whatever reason, the policy changes and the parties validating the signature have no means to determine that the signer is following a new policy.

They have means, they just don't have a way of deriving a specific policy from a specific DNSKEY. The available means are documented in the DPS.

> So I am missing the value of the policy to the parties that rely on these signatures.

Your suggestion is that if there's no way to the policy just from the contents of a DNSKEY RR, there's no point publishing a policy at all?


Joe