Yes. I would like to see deeper consideration of what we are trying to prove to whom, to help the reader decide how best to do it.
--Ben ________________________________ From: Tim Wicinski <tjw.i...@gmail.com> Sent: Wednesday, October 23, 2024 12:54 PM To: Ben Schwartz <bem...@meta.com> Cc: dnsop <dnsop@ietf.org> Subject: Re: [DNSOP] Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-06.txt Ben I think we need to be careful when we say "account" in these situations - whose account ? domain owner, service owners, etc. It is an overly overloaded term. On Tue, Oct 22, 2024 at 9: 58 AM Ben Schwartz <bemasc@ meta. com> Ben I think we need to be careful when we say "account" in these situations - whose account ? domain owner, service owners, etc. It is an overly overloaded term. On Tue, Oct 22, 2024 at 9:58 AM Ben Schwartz <bem...@meta.com<mailto:bem...@meta.com>> wrote: I think this draft should offer more background on the problem space, describing the situations where these DCV patterns are appropriate or inappropriate. In particular, I would like to see text clearly distinguishing two patterns: 1. "Domain Control Validation" -> Prove that the owner of this account controls this DNS name (by placing a random token in an ephemeral TXT record). 2. "Domain Account Authorization" -> Prove that the owner of the DNS name authorizes this account (by placing the account name in a persistent TXT record). I would like to see guidance on how to choose between these two approaches. Or are they really the same approach, distinguished by authorizing ephemeral accounts vs. persistent ones? I think part of this answer is based on what the owner of the service requesting the DNS authorizing is requesting is it not? tim Resolving this distinction would help to harmonize this draft with https://datatracker.ietf.org/doc/draft-sheth-dns-integration/<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-sheth-dns-integration/__;!!Bt8RZUm9aw!5Yl2xyCDxvxBQ-MrGHSkZZlV7YdFb-hMZjvkVZehylQhL4gAOSC3XyxqKNrr5q77Zt5RxCDWeQr3$> --Ben ________________________________ From: Tim Wicinski <tjw.i...@gmail.com<mailto:tjw.i...@gmail.com>> Sent: Monday, October 21, 2024 11:18 PM To: dnsop <dnsop@ietf.org<mailto:dnsop@ietf.org>> Subject: [DNSOP] Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-06.txt All After much badgering, the authors have updated this document, addressing very useful comments from Duane Wessels (thank you!) and useful and poignant comments from Benjamin Kaduk's secdir review (still work through those). There is one All After much badgering, the authors have updated this document, addressing very useful comments from Duane Wessels (thank you!) and useful and poignant comments from Benjamin Kaduk's secdir review (still work through those). There is one outstanding issue which will be on the agenda in Monday's session. I urge all to at least read the diffs. thanks tim ---------- Forwarded message --------- From: <internet-dra...@ietf.org<mailto:internet-dra...@ietf.org>> Date: Mon, Oct 21, 2024 at 4:57 PM Subject: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-06.txt To: <tjw.i...@gmail.com<mailto:tjw.i...@gmail.com>> A new version (-06) has been submitted for draft-ietf-dnsop-domain-verification-techniques: https://www.ietf.org/archive/id/draft-ietf-dnsop-domain-verification-techniques-06.txt<https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ietf-dnsop-domain-verification-techniques-06.txt__;!!Bt8RZUm9aw!4F3N6oJhwSkUlFkIIwVJeOm1aOi9yFCo7DDb84erI6z34GLDd4Fx8pcM4XxoRCQ2UUGYm1HciEVl$> https://www.ietf.org/archive/id/draft-ietf-dnsop-domain-verification-techniques-06.html<https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ietf-dnsop-domain-verification-techniques-06.html__;!!Bt8RZUm9aw!4F3N6oJhwSkUlFkIIwVJeOm1aOi9yFCo7DDb84erI6z34GLDd4Fx8pcM4XxoRCQ2UUGYm0IDyzY9$> The IETF datatracker page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/<https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/__;!!Bt8RZUm9aw!4F3N6oJhwSkUlFkIIwVJeOm1aOi9yFCo7DDb84erI6z34GLDd4Fx8pcM4XxoRCQ2UUGYm8fckrOW$> Diff from previous version: https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-domain-verification-techniques-06<https://urldefense.com/v3/__https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-domain-verification-techniques-06__;!!Bt8RZUm9aw!4F3N6oJhwSkUlFkIIwVJeOm1aOi9yFCo7DDb84erI6z34GLDd4Fx8pcM4XxoRCQ2UUGYm6JrDtUE$> IETF Secretariat.
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
