IETF provreg mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Martin Oldfield <m@mail.tc>
cc: <ietf-provreg@cafax.se>
From: Sheer El-Showk <sheer@saraf.com>
Date: Thu, 15 Feb 2001 12:17:21 -0500 (EST)
In-Reply-To: <14987.58229.871413.628056@joanna.william.org>
Sender: owner-ietf-provreg@cafax.se
Subject: Re: draft-hollenbeck-grrp-reqs-06 [Was Re: Interim Meeting]

> >>>>> "Sheer" == Sheer El-Showk <sheer@saraf.com> writes a splendid
> >>>>> email in which the benefits of assigning each object in the
> >>>>> registry its own key are discussed. (I hope that's not too great
> >>>>> a misrepresentation.)

First Martin, thank you for your very flatteringly phrased summary.

I havn't gone over my email since reading your comments and its quite
possible I gave the wrong impression in it because we are, in reality, in
complete accord.  In no way did I envision every registry object having a
key associated with it.  Rather, the keys belong to real-word individuals
or entities and are used to sign registry objects to denote ownership.
That is, as a person (not a contact or an SLD holder or whatever), I have
a public key which (whether generated by a registrar on my behalf as has
been suggested by some, or a personal one) I use to tag a registry
entities over which I have authorities (which would be all the contacts
assocaited with me as a person, all domains I own, and any nameservers in
those domains).  When I transfer these entities (actually only domains can
be transfered) the registry must propagate the key change itself through
all dependent entities (this is much simpler than its sounds -- even in a
fat registries Contacts are not attributes of a domain, they are seperate
records referenced by domains and their ownership does not change with
domain ownership -- the only thing that has to be done is to change the
key on the nameservers under that domain).  That way the old owner has no
ability to affect the domains anymore.

Does this cover your concerns or did I misunderstand something you said.

Regards,
Sheer El-Showk


>
> I think there are two other disadvantages of this approach when
> compared to a scheme in which `contacts' (for want of a better word)
> authenticate themselves, and access rights are confered on the basis
> of the inter-object relationships.
>
> 1. Typically the registrant will have a whole bunch of objects in the
>    database. If each one of these has its own key, then I think most
>    registrants will get confused.
>
> 2. Concentrating on the case of a domain being transfered for a
>    moment, I think giving the domain its own key makes this harder. If
>    registrant A sells the domain to B, then after the sale A really
>    shouldn't have access rights. If the access to the domain is
>    controlled on the basis of its contacts then all well and good; if
>    its on the basis of a public key then one needs to ensure that all
>    the key management happens in synchrony.
>
> Cheers,
> --
> Martin Oldfield,
> AdamsNames Ltd.
>

References:
- Re: draft-hollenbeck-grrp-reqs-06 [Was Re: Interim Meeting]
  - From: Martin Oldfield <m@mail.tc>

Prev by Date: grrp-reqs-06, 11. Security Considerations [3]
Next by Date: RE: grrp-reqs-06, 3.2 Identification and Authentication [3]
Prev by thread: Re: draft-hollenbeck-grrp-reqs-06 [Was Re: Interim Meeting]
Next by thread: Re: draft-hollenbeck-grrp-reqs-06 [Was Re: Interim Meeting]
Index(es):
- Date
- Thread

Home | Date list | Subject list