ietf
[Top] [All Lists]

Re: [Gen-art] Gen-ART review of draft-ietf-dnsop-dnssec-dps-framework-08

2012-07-19 10:22:35

On 2012-07-18, at 01:06, Russ Housley wrote:

I think you missed my point.  In a PKI, when the issuer significantly changes 
the policy, subsequent certificates have a different policy identifier.  I do 
not see a similar concept here.

Russ, you are right. There is no such concept in DNSSEC (yet). Simply by 
looking at the signed data, there is no way of determining under what policy 
the data has been signed. Interested parties must stay informed using the 
process specified in section 1.4.3 (Specification change procedures) of the DPS.

Generally speaking, DNSSEC signatures are short-lived. From the time a new 
policy is in effect, old signatures will be flushed out within days. However, 
if there are significant changes made to the policy which materially affect the 
security posture of the zone, there may be several reasons to roll the signing 
key(s) and to indicate this in the DPS. This way, the validating party will be 
able to determine under what policy a signature has been generated, and act 
accordingly.

- Fredrik