All, I submitted the following draft:
https://datatracker.ietf.org/doc/draft-hallambaker-omnipublish/ The draft proposes a JSON/REST based protocol that a service can use to 1) Tell the local DNS service 'hey I am here, please configure records for me to serve the XYZ protocol'. (also potentially configure firewalls etc). 2) Acquire the necessary cryptographic credentials to provide that service. Now as you would expect from me, the draft is designed to make it as easy as possible for people to get certs from a CA. But combining the two publication tasks into one protocol makes it a good fit for DANE as well. Looking at recent attacks and the needs of cloud service environments and the problem of doing high quality key generation, I believe that at some point in the future the consensus will shift away from the 'generate the keys at the end point' model to a 'generate keys where you know the job will be done right' model. So today the process of bringing up a server is that you install the application, go through the application config, generate keys, do the DNS configuration, apply for certs, configure the server and go. That is going to take a week of elapsed time in a typical enterprise as every request cuts across departments. With OmniPublish the only admin steps required are install the application and go through the application config. The application knows everything else it needs at that point and can ask. Not suggesting this as a WG item. But it is clear that something like this is going to be needed if DANE is ever going to be practical. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
