I look forward to your seeing further problems with this DSD thing.
Meanwhile, I just want to clarify one thing, since I seem to have
confused a number of folks:
Jim Fenton wrote:
Key delegation is already introduced in -base, and we have already
described how the key management works (in DNS, anyway). SSP DSD isn't
a new key management scheme, but rather a way of authorizing other
domains to sign using the existing scheme.
I agree. (Well, I can't recall if key delegation is really specified
in base, as opposed to allowed-for by base, but anyway.)
My point is that without the DSD mechanism, key delegation is arguably
much more likely to be used. And if true, that means we have to do more
work analysing key management. With DSD, key delegation is arguably
much less likely to be used, or at least can be more easily avoided, in
which case analysis of key management is less of an issue for us.
Basically, what Jon said in response to Dave, except he said it
NOTE WELL: This list operates according to