-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 2013-03-21 at 07:45 -0700, Peter Saint-Andre wrote: > https://datatracker.ietf.org/doc/draft-miller-xmpp-posh-prooftype/
""" however, these technologies are not yet widely deployed and might not be deployed in the near future for domains outside the most common top-level domains (e.g., ".COM", ".NET", ".EDU"). """ Of 272 TLDs, 85 have DS records. [1] ARPA is not germane, so that's 84/271. So while DNSSEC is not universal, it's certainly misleading to imply that it's rare outside of the traditional gTLDs. Eyeballing the list of TLDs with DNSSEC delegated through them [2] it looks to cover most nations with a strong Internet presence; notable by their absence are just IT, HU, CN and AU. And, perhaps ironically, PRO. ;) Reading that draft, it's unclear to me where "im.example.com" comes from; is that the JID domain, thus p...@im.example.com, and so there has to be an HTTP server at the zone apex which can be configured with XMPP policy content, or is that derived from p...@example.com, in which case how is the im label determined? What's the trust path to it? I see the value in having an alternative to DNSSEC, and even having it around for the longer term, to be proof against mandated alternate root anchors and inline resigning, for those stuck in countries where that can be mandated. I'm trying to figure out what is being gained here: something equivalent to DNS NAPTR but with PKIX validation of the results? After all, if I can have appropriate certs on a web-server, served up by domain, I can have the same on an XMPP server. The key seems to be to rely upon SNI support in web-servers without having to make sure XMPP servers can also do dynamic certificate selection, and also letting XMPP hosting be delegated (thus the NAPTR aspect of things) -- am I correct in my summarisation, or have I missed something? Thanks, - -Phil [1] Transfer root zone from open root, capture in file "root-zone"; perl -ne < root-zone 'BEGIN { $top={ NS=>{}, DS=>{} } }; if (/^([A-Za-z]+)\.\s+\d+\s+IN\s+(NS|DS)\b/) { $top->{$2}{$1} = 1 }; END { foreach my $k (sort keys %{$top->{NS}}) { $haveds = exists $top->{DS}{$k}; print $k . "\t\t" . ($haveds ? "Secure" : "Insecure" ) . "\n"; } }' [2] tack on | sed -n 's/Secure//p' | xargs Results: ac ag am arpa asia at be bg biz br bz ca cat cc ch cl co com cr cz de dk edu eu fi fo fr gi gl gov gr hn in info io jp kg kr la lb lc li lk lt lu lv me mil mm mn museum my na nc net nl nu nz org pl pm post pr pt pw re ru sc se sh si su sx tf th tm tt tw tz ua ug uk us wf yt -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAlFLnkoACgkQQDBDFTkDY3/YmwCdFUsldSVQMHS52eZr0a7s8S04 /tEAn1hbvrZVvq+ot8dfPBUIkBWzM5UK =3Gk3 -----END PGP SIGNATURE-----