[ietf-provreg] rfc4310bis 03 AD Feedback

[James Gould <jgould@verisign.com>]

Title: rfc4310bis 03 AD Feedback

All,

One of the items for the AD review of rfc4310bis is below.  I want to bring this up to the list for feedback, since this is text from the original RFC.  

>>       An OPTIONAL <secDNS:maxSigLife> element that indicates a child's
>>       preference for the number of seconds after signature generation
>>       when the parent's signature on the DS information provided by the
>>       child will expire.  A client SHOULD specify the same <secDNS:
>>       maxSigLife> value for all <secDNS:dsData> elements associated with
>>       a domain.  If the <secDNS:maxSigLife> is not present, or if
>>       multiple <secDNS:maxSigLife> values are requested, the default
>>       signature expiration policy of the server operator (as determined
>>       using an out-of-band mechanism) applies.
> 
> I am slightly surprised that the latter is not an error condition.
> But if this what people have implemented, then Ok.

So the question is around specifying different secDNS:maxSigLife values for the secDNS:dsData (DS Data Interface) or secDNS:keyData (Key Data Interface).  The RFC recommends (SHOULD) that the client use the same secDNS:maxSigLife value, but does not mandate it.  The question is whether the server signature expiration policy should apply when the client does specify multiple values for a domain and the server accepts it.  It makes more sense to me that the server should return an error if passing a different secDNS:maxSigLife will result in the default being applied by the server.  If an error is returned, I would propose returning 2306, since it would be up to the server policy to have a single signature expiration across all DS or keys of a domain.  If it’s not up to server policy, then the draft should use MUST instead of SHOULD for the client and the server should return an error like 2305 “Object association prohibits operation” or 2004 “Parameter value range error”.  I don’t believe either 2305 or 2004 match the error exactly, but I guess I would lean towards 2004.  Any opinions on which error code to use?      

Please reply to the list or to me privately related to your preference on this feedback.  

Thanks,

-- 


JG 

-------------------------------------------------------
James F. Gould
Principal Software Engineer
VeriSign Naming Services
jgould@verisign.com
Direct: 703.948.3271
Mobile: 703.628.7063

 
21345 Ridgetop Circle
LS2-2-1
Dulles, VA 20166

Notice to Recipient:  This e-mail contains confidential, proprietary and/or Registry  Sensitive information intended solely for the recipient and, thus may not be  retransmitted, reproduced or disclosed without the prior written consent of  VeriSign Naming and Directory Services.  If you have received  this e-mail message in error, please notify the sender immediately by  telephone or reply e-mail and destroy the original message without making a  copy.  Thank you.