At 11:58 AM +0000 9/29/08, [EMAIL PROTECTED] wrote:
> Remove all of 3.1.2. Longer keys are not useful because the crypto
guidance is that everyone should use keys that no one can break. Also,
crypto guidance from whom?
That guidance, as it were, is in RFC 4641.
longer keys are useful for several
reasons.
Please explain. Using keys longer than the actual security needs
waste CPU cycles both for the signing zone and the recursive DNS, and
also waste bandwidth.
> it is impossible to judge which zones are more or less valuable to an
value is in the eyes of the zoen admin, not a random hacker.
Of course. If you have proposed text to help a zoen admin put a value
on their zone that can be translated into signing key lengths, please
post it.
> Remove the first phrase of the fourth paragraph of 3.3. At the end of
the paragraph, add:
Note that if a trust anchor replacement is done incorrectly, the
entire zone that the trust anchor covers will become bogus until
the trust anchor is corrected.
manipulation of the TA/SEP nonces fundamentally changes the
validators view of trust.
one presumes that your assuming a single trust heirarchy and
wiggling one piece to give
a parallax view creates "bogus" data -from the perspective of
one view of a trust heirarchy-.
alternate trust heirarchies will emerge.
Fully agree; they already have. How does that affect the change that
I proposed?
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
