IETF provreg mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: ietf-provreg@cafax.se
From: Ulrich Wisser <liste@publisher.de>
Date: Mon, 02 Nov 2009 11:08:03 +0100
In-Reply-To: <20091029142039.GF65688@shinkuro.com>
Sender: owner-ietf-provreg@cafax.se
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
Subject: Re: [ietf-provreg] Anyone working on 4310-bis?

Andrew Sullivan wrote:
> On Wed, Oct 28, 2009 at 12:45:54PM +0100, Ulrich Wisser wrote:
> 
>> The add command (as well as update) uses the secDNS:dsDataType. Which  
>> makes keytag, alg, digestType and digest mandatory. I know that .SE and  
>> other registries considered to become a "fat" registry and take in the  
>> public keys instead of the ds records. The DS records would be computed  
>> from the public keys according to registry policies.
>> This case is not covered by 4310.
> 
> While this is true, 4310 does provide an OPTIONAL <secDNS:keyData>
> element.  Registry policy could require this.  Then you could get the
> DS and the DNSKEY at the same time, and you could even check to be
> sure the DS they're providing actually matches the DNSKEY they're
> providing (and use that as a first-line test to make sure their plan
> is sane.  If they can't generate the right DS, they are as likely to
> have other problems as not, and it could well be that you want to stop
> doing anything until it's sorted).  No?

I agree and this is not a big issue. I just thought that while we are 
changing the XML schema anyway, this change wouldn't be to troublesome 
either. I believe

      <complexType name="dsDataType">
        <sequence>
<group minOccurs="0">
          <element name="keyTag"     type="unsignedShort"/>
          <element name="alg"        type="unsignedByte"/>
          <element name="digestType" type="unsignedByte"/>
          <element name="digest"     type="hexBinary"/>
          <element name="maxSigLife" type="secDNS:maxSigLifeType"
           minOccurs="0"/>
</group>
          <element name="keyData" type="secDNS:keyDataType"
           minOccurs="0"/>
        </sequence>
      </complexType>

would do the trick and still be backward compatible, wouldn't it?

/Ulrich

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
List run by majordomo software.  For (Un-)subscription and similar details
send "help" to ietf-provreg-request@cafax.se

Follow-Ups:
- Re: [ietf-provreg] Anyone working on 4310-bis?
  - From: James Gould <jgould@verisign.com>

Next by Date: Re: [ietf-provreg] Anyone working on 4310-bis?
Next by thread: Re: [ietf-provreg] Anyone working on 4310-bis?
Index(es):
- Date
- Thread

Home | Date list | Subject list