[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IPSECKEY] the -01 draft



-----BEGIN PGP SIGNED MESSAGE-----


Simon, I see your point in the text that I wrote. Not my intention to
restrict it. Jakob's text still implies that the signatures must be checked,
which is not the case if one knows one is pulling it from a local server
which may have an authoritative on disk source.

How about:
    The IPSECKEY resource record contains information that MUST be
    communicated to the end client in an integral fashion - i.e. free
    from modification. The form of this channel is up to the consumer
    of the data. It may be end-to-end DNSSEC validation, a TSIG or SIG(0)
    channel to another secure source, a secure local channel on the
    host, or some combination of the above.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPrqi1YqHRg3pndX9AQHNVAQAvNpms2fiOB7p48MOdNsN67UKn0J94CGW
RhYNb9OBae5T9GZusjyR9U73sJBv9EHuvZqdcoTTaDcuGAlJjyW0wWZMSj6KEcK4
OLyjjDTEuQKydFHI5UG/r6dEgfrYIroB6ij3/mS03Lfou8ysRU81DB+0mgD2jFGR
YBBeTiuSifo=
=aykE
-----END PGP SIGNATURE-----
-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.