To:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
Cc:
ietf-provreg@cafax.se
From:
"Jörg Bauer/Denic" <bauer@denic.de>
Date:
Thu, 11 Jan 2001 09:17:47 +0100
Sender:
owner-ietf-provreg@cafax.se
Subject:
Antwort: RE: Security vs. Authorization
> > > > % > Are you sure that the registrar is the only one entitle do > > % > performe any > > % > change? > > % > > % There should be only one registrar authorized to change an > > object, but they > > % should do so either on behalf of a registrant or pursuant > > to whatever legal > > % arrangement exists between registrar and registrant. > > % > > % <Scott/> Think a little bit to the future: Secure DNS. I think there is a realy need that for example the registrant itself "signs" his request of changing some Nameservers. Not all registrars belong to the "good people" group, and may change something. I think there are two type of authorisation needed, one for to "login" in the registry, and one for every object in the registry. From my point of view every Object in the registry has two parts: 1. the object itself 2. some kind of metadata This metadata is a lot of the policy of the registry. There you have the information about the registrant, Date/Time of creating/update, and (most important) some kind of ACL. Normaly the registrar is part of the ACL, but it is also possible to put the customer also to the list. This also makes live easier for the registrar. Example: If i have a X.509 certificate from verisign ( ;-) ....) I want to be able to change my contact data in the registry. The registrar is then easily able to say "OK this realy seems to be my customer" and forward this request to the registy. Conclusion: There is a requirement of authorisation objects inside the registry. These objects may be username/password pairs , X.509 Certivicates, PGP-Keys or whatever. It MUST be part of the GRRP protocoll and not part of the transport protocoll. Correct me if i am thinking to far...... -- ----------------------------------+------------------------------------------- Joerg Bauer | eMail : Joerg.Bauer@denic.de DENIC eG | Fon : +49 69 272 35 180 Wiesenhuettenplatz 26 | Fax : +49 69 27235 235 D-60329 Frankfurt | ----------------------------------+-------------------------------------------