IETF Logo Mail Archive

Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08

Fredrik Ljunggren <fredrik@kirei.se> Thu, 19 July 2012 07:41 UTC

Return-Path: <fredrik@kirei.se>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21B5C21F867D for <ietf@ietfa.amsl.com>; Thu, 19 Jul 2012 00:41:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.698
X-Spam-Level:
X-Spam-Status: No, score=-0.698 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_SE=0.35, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KNhGzl9rXIXe for <ietf@ietfa.amsl.com>; Thu, 19 Jul 2012 00:41:29 -0700 (PDT)
Received: from spg.kirei.se (spg.kirei.se [IPv6:2001:67c:394:15::9]) by ietfa.amsl.com (Postfix) with ESMTP id EC87521F8675 for <ietf@ietf.org>; Thu, 19 Jul 2012 00:41:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kirei.se; s=spg20100524; h=received:subject:mime-version:content-type:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to:x-mailer; bh=FmFG1ZRnafaCZO56ZjDuyiZI2Py2+Md3jXH6H3wb+Ns=; b=xo4cMRD2uuxkHWBjiovv15tFs6V96r+udEAvXLwxCmffVKVWfGyqP60F4/QP2jWgJtp/Ekh8RsugK OtxgINDEObxJcLZX4gy+IBpiHH7ipzKAph/cFsc8THQ3zR09bauEFFYruuXj/cTwJp9457bOJk/pnx ovCAxOMswWQP0bhU=
Received: from mail.kirei.se (unknown [91.206.174.10]) by spg-relay.kirei.se (Halon Mail Gateway) with ESMTPS; Thu, 19 Jul 2012 09:42:16 +0200 (CEST)
Subject: Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: Fredrik Ljunggren <fredrik@kirei.se>
In-Reply-To: <57D81A5A-B80B-4DC1-87FE-450E91A01A20@vigilsec.com>
Date: Thu, 19 Jul 2012 09:42:11 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <C51A593C-2280-436D-95BC-FD06DEAD3049@kirei.se>
References: <003c01cd6225$6f4cab60$4de60220$@akayla.com> <72D7767E-8AE5-4A91-BE2C-4A949997C5CA@vigilsec.com> <29BF6AF1-3924-42F0-B8BD-1B1250CAECD6@hopcount.ca> <57D81A5A-B80B-4DC1-87FE-450E91A01A20@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
X-Mailer: Apple Mail (2.1278)
X-Mailman-Approved-At: Thu, 19 Jul 2012 08:21:14 -0700
Cc: Peter Yee <peter@akayla.com>, gen-art@ietf.org, draft-ietf-dnsop-dnssec-dps-framework.all@tools.ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2012 07:41:30 -0000

On 2012-07-18, at 01:06, Russ Housley wrote:

> I think you missed my point.  In a PKI, when the issuer significantly changes the policy, subsequent certificates have a different policy identifier.  I do not see a similar concept here.

Russ, you are right. There is no such concept in DNSSEC (yet). Simply by looking at the signed data, there is no way of determining under what policy the data has been signed. Interested parties must stay informed using the process specified in section 1.4.3 (Specification change procedures) of the DPS.

Generally speaking, DNSSEC signatures are short-lived. From the time a new policy is in effect, old signatures will be flushed out within days. However, if there are significant changes made to the policy which materially affect the security posture of the zone, there may be several reasons to roll the signing key(s) and to indicate this in the DPS. This way, the validating party will be able to determine under what policy a signature has been generated, and act accordingly.

- Fredrik

v2.23.0 | Report a Bug | By Email