Hi Paul,
On 7/8/24 20:08, Paul Hoffman wrote:
OLD
The Zone element in the TrustAnchor element states to which DNS zone
this container applies. The root zone is indicated by a single
period (.) character without any quotation marks.
This is underspecified w.r.t. to format, for labels containing dots.
But, the whole document is about the root (it's even in the title), and I
wonder why the Zone element is there in the first place.
Instead of fixing the Zone element format, why not just drop the whole Zone
element?
The zone element is there in case someone other than the root operator wants to
use the format. Dropping it might cause some current users of the format to
fail, so we are leaving it in.
So it remains underspecified for labels containing dots. (I'm OK with that,
just spelling it out.)
OLD
The id attribute in the KeyDigest element is an opaque string that
identifies the hash.
Is the id attribute expected to be unique within the XML file?
[...]
The spec says it is "an opaque string". Your proposal is to extend that and
make it unique. This could cause a serious problem in the future if IANA does not change
the id string for some reason. We are leaving it as just opaque.
That's fine. However, the attribute name "id" suggests uniqueness, because that's how IDs
usually work. I suggest something like "opaque (but not necessarily unique)", or renaming
it to something else, to prevent this misinterpretation.
OLD
If a system
retrieving the trust anchors trusts the CA that IANA uses for the
"data.iana.org" web server, HTTPS SHOULD be used instead of HTTP in
order to have assurance of data origin.
Does this really mean that if I don't trust the CA, then I should be using HTTP?
Yes.
How does that make things any better?
It does not, but the text doesn't indicate that it makes anything better.
I wonder then why we need the "if" clause in that sentence. I'd remove it, but
I don't feel strongly.
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
