[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [IPSECKEY] the -01 draft
Michael Richardson <mcr@sandelman.ottawa.on.ca> writes:
> Simon, I see your point in the text that I wrote. Not my intention to
> restrict it. Jakob's text still implies that the signatures must be checked,
> which is not the case if one knows one is pulling it from a local server
> which may have an authoritative on disk source.
>
> How about:
> The IPSECKEY resource record contains information that MUST be
> communicated to the end client in an integral fashion - i.e. free
> from modification. The form of this channel is up to the consumer
> of the data. It may be end-to-end DNSSEC validation, a TSIG or SIG(0)
> channel to another secure source, a secure local channel on the
> host, or some combination of the above.
Sounds good.
There must be a trust relationship between the client and the server,
so the client is able to trust that the data it is using really was
unmodified. Perhaps this is obvious, though.
Thanks!
-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.