----- Original Message -----
From: "Stephen Farrell" <stephen(_dot_)farrell(_at_)cs(_dot_)tcd(_dot_)ie>
To: "Jim Fenton" <fenton(_at_)cisco(_dot_)com>
Meanwhile, I just want to clarify one thing, since I seem to have
confused a number of folks:
My point is that without the DSD mechanism, key delegation
is arguably much more likely to be used. And if true, that
means we have to do more work analysing key management. With
DSD, key delegation is arguably much less likely to be used,
or at least can be more easily avoided, in which case
analysis of key management is less of an issue for us.
I found it interesting this angle you brought up. :-) Although I understand
you were not advocating either way, I take any plus arguments for SSP DSD.
But I do have to note that I didn't entirely think that it would complicate
key management. I do see your point though.
I also wish to note that there are two schools here for DSD:
- DSD list the 3rd party domains only,
- DSD can also list 1st party domains
The DSAP proposal currently defined the 3PL= tag as a list of 3rd party
domains. I think this keeps it simple since the main concern is the
uncontrolled, open-ended, unrestricted signing of 3rd party entities.
However, I believe Doug indicated it can help fold or simplify the syntax by
also allowing 1st party domains to be listed as well. He also suggested
wildcard support, e.g., *.isp.com.
Hector Santos, Santronics Software, Inc.
NOTE WELL: This list operates according to