Greetings again. draft-ietf-dnsop-domain-verification-techniques is stuck, I think for good reason. It has evolved to be all of "best practices", "cool extensions", "requirements", and "examples of how people do this now". That evolution has caused the result to have conflicting advice and unclear examples. I sincerely believe that the document can only be saved by making it much shorter, focused just on "best practices".
In making it shorter, it still could use some additions, particularly the pitfalls of domain lifecycle and other topics from Section 4 of draft-sheth-dns-integration. It is a best practice to at least think about all those issues even if this document can't say what to do to protect against normal human failures. In specific (and not in totality), I'd like to see removed: - anything about CNAME, other than an explanation about why it is dangerous to rely on - anything about intermediaries because they grossly complicate the idea of someone controlling a domain - requirements on randomness length; for many scearios, 44 bits of entropy is just fine and can be easily typed - requirements on time-bound checking, other than a description of why you might or might not want it I now that doing this might be difficult, and if the authors agree that these might be good changes, I'd be willing to do a reorg pass. Having said that, I'd really like to see this draft and draft-sheth-dns-integration (or at least the ideas in them) move forward so that other drafts that rely on them (such as draft-chins-dnsop-web3-wallet-mapping) can move as well. --Paul Hoffman _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
