On Feb 16, 2013, at 7:43 PM, Paul Hoffman <paul.hoff...@vpnc.org> wrote:
> Ted's misunderstanding of what you are proposing is a valid one. You don't > actually say what a negative trust anchor is, and what it is a trust anchor > for, until section 7. Readers such as Ted (and myself!) will have strong > prejudices by then. > > I would want to see something in the Introduction saying something like: > > This document discusses trust anchors for DNSSEC. A "negative trust anchor" > is equivalent to a "regular" DNSSEC trust anchor for a particular instance of > a recursive validating resolver. A negative trust anchor is quite different > from regular DNSSEC trust anchors in that they are local, temporary, and > definitely not distributed by IANA. They are trust anchors only for DNSSEC, > not for PKIX. > > That should help set the tone for the following sections that say how to use > them, and then the much later sections on what they actually are. I also think that it would be very helpful to actually show *how* this is used, with e.g and example in an Appendix, for <insert favorite resolver here>. The document contains a lot of really useful content about why you might use one, how to minimize damage, etc but (IMO) does't do a great job of explaining *how* to actually do so… But yes, I think it should be considered for adoption / if this is a CfA I support it :-P I'd also like to see it presented / discussed at the meeting... W > > --Paul Hoffman > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- "Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life." -- Terry Pratchett _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
