Greetings DNSOP, We have recently published draft-sheth-identifiers-dns (1) that proposes some best practices for Application Service Providers who provide associations between a global DNS domain name and use case specific references. The best practices use DNSSEC to provide a globally consistent, cryptographically verifiable association. While nonce-based domain control validation (DCV) has been used for similar purposes, it may not be practical when the association is persistent and where multiple relying parties want to confirm the association independently as this would require a nonce for each relying party which may become impractical for a user to maintain. Examples of persistent, multiple perspective use cases include the CAA record used by Certificate Authorities, the proposals to use DNS to identify digital wallets, and the use of domain names as social media handles. In each use case, more than one party uses the same DNS data and should come to the same conclusion, e.g., in CAA if the Certificate Authority is authorized (or not) to issue a certificate for a domain name. This draft differs from the current DCV BCP draft (2) in the persistence of the DNS record(s), the presence of multiple relying parties, and the requirement of DNSSEC. Our perspective is that these differences are substantive enough to merit separate drafts but are open to further discussion. Thanks, Swapneel
(1) - https://datatracker.ietf.org/doc/draft-sheth-identifiers-dns/ (2) - https://datatracker.ietf.org/doc/draft-ietf-dnsop-domain-verification-techniques/
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
