In message <can2hq05sgfaoz36cmubgwkj+3yzmztyg2mxszb_rzytdo+s...@mail.gmail.com> Richard Mortier writes: > On 13 August 2012 20:04, Michael Richardson <mcr+i...@sandelman.ca> wrote: > > > ... > > which would permit you to validate who I am, even though neither of > > have connectivity at the time.. I would cache my DNSSEC path, and of > > course, we each would already have the root DNSSEC key. (no different > > than how PKIX works...) > > > > I see signposts as being additional local trust anchors that can be > > used. > > yes, i think we would too :)
You did trim out the example, where due to the trust, whitehouse.gov and billthecat.whitehouse.gov are all DNSSEC signed domains. I suppose that is why the smiley. > specifically: in the "common case" we'd envisage that each person > would have at least one publicly visible signpost, probably hosted in > the cloud (whether or not operated directly by them, or through some > "signpost-as-a-service" provider) unless they have suitable local > resources. ... and the difference between signed untrustworthy source of information and an unsigned untrustworthy is ... what? This is putting yet another service in the cloud that need not be there, though global DNS could be considered "in the cloud" as commonly practiced for the home user. What we are trying to accomplish is getting a local name service that is somehow authoritative for the local site, and optionally can be made global. Putting the mapping to the local printer in the cloud would break printing if the cloud were not accessible (hopefully temporarily) but for some devices, like home alarms, utility metering, the fridge, ... the kitchen sink, with low power wireless, the cloud might often not be there. > but we have certainly discussed supporting suitable state > replication/caching among signpost instances so that any > locally-connected collection of signpost-enabled clients can do all of > this without recourse to the public internet (eg., for cases where you > still want to be able to interconnect your own devices and you're > travelling, or you're at home your broadband uplink has gone down). Please give us a good reason to reinvent the wheel. I don't see one. You need to say what DNS can't do, possibly with some extension. that signpost offers. > Richard Mortier > m...@cantab.net Regards, Curtis _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet