Re: [DNSOP] comments about draft-morris-dnsop-dnssec-key-timing

Tue, 19 May 2009 06:48:19 -0700 

On Tue, May 19, 2009 at 02:38:01PM +0100, John Dickinson wrote:
> Sz sez...
> >
> >Please don't change this. Making finer distinctions in one document,
> >clearly defined, is one thing. But please don't try to change
> >terminology we're finally starting to get people to use; it's been
> >(and continues to be) hard enough to get them to stop talking about
> >one key and the singular act of signing.
> 
> 
> This was kind of my idea - so maybe I can explain my thinking a bit. I  
> am wondering if this document should restrict itself purely to  
> considering keys and say nothing about what is signed by those keys.  
> Therefore, it would not use the KSK and ZSK terminology.
> 
> You could have keys with the following set of properties:
> - how they are rolled (pre-publish or double key)
> - the SEP bit on or off
> - bit 7 (zone key bit always set)
> - bit 8 revoked bit
> - protocol == 3
> - an algorithm
> - a size
> - is this key intended to be pointed to by a DS RR?
> - is the zone operator doing RFC5011?

        are you going to focus on the key, its intended/expected use
        or something else (the signatures or the items covered by the
        signatures...)

> Some of these properties impact on, or are altered by, timing  
> considerations.

        for the key... timing is immaterial. only the signature 
        has a temporal consideration.  unless you want to equate
        key visability with time.

> 
> Some combinations of these properties make useful keys and it may well  
> be best practice to use them to sign particular RRSets. However, I  
> wonder if this draft is the place to comment on that issue - would it  
> be better in a BCP. This draft could just consider the timing  
> considerations for keys with particular (anticipated to be useful)  
> sets of properties and be pointed to by a BCP which says which  
> properties a good KSK, ZSK or anotherSK should have and what RRSets  
> they actually sign.
> 
> John
> 
> ---
> John Dickinson
> http://www.jadickinson.co.uk
> 
> I am riding from Lands end to John O'Groats to raise money for  
> Parkinson's Disease Research. Please sponsor me here 
> http://justgiving.com/pedalforparkinsons2009
> 
> 
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to