On 3/13/15, 4:10 PM, "Paul Hoffman" <[email protected]> wrote:
> >> On Mar 13, 2015, at 11:23 AM, John Levine <[email protected]> wrote: >> >> I see that in dane-openpgpkey, the name on the record is >> >> <hash>._openpgpkey.domain >> >> and in dane-smime, the name is: >> >> <hash>._smimecert.domain >> >> These are two different names for the same mailbox. Since they use >> the same hash, wouldn't it be a better idea for both of them and any >> future RRs that use hashed mailboxes to use the same name? >> >> <hash>._mailbox.domain > >This could go either way. If the WG thinks that the user, or someone >responsible for the user, will add and change DNS records for that user, >your proposal would clearly be better because you could delegate the user >to a new subzone. On the other hand, if the WG thinks that the security >admin will be the one adding and changing records for a particular type >of mail security, then the design we are using now is better. I lean >towards the second, but can see the merit of the first now that people >are thinking of using this for things other than just mail security. I would like to suggest that we need to begin considering the need for users to directly affect the records that refer to them. For example you want a user to be able to manage their own public key without getting the zone administrator involved directly. One way to do this is to use a system that proxies for the zone administrator, but the bottom line is that as we move toward user specific data in the DNS we need to begin thinking about things a little differently. > >--Paul Hoffman >_______________________________________________ >dane mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/dane _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
