[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IPSECKEY] the -01 draft

To: ipseckey@sandelman.ca
Subject: Re: [IPSECKEY] the -01 draft
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Thu, 08 May 2003 15:10:15 -0400
In-reply-to: Your message of "Thu, 08 May 2003 20:56:15 +0200." <iluaddx469c.fsf@latte.josefsson.org>
Sender: owner-ipseckey@sandelman.ottawa.on.ca

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Simon" == Simon Josefsson <jas@extundo.com> writes:
    Simon> There must be a trust relationship between the client and the
    Simon> server, so the client is able to trust that the data it is using
    Simon> really was unmodified.  Perhaps this is obvious, though.

  My impression is that "Security Considerations" sections are really there
to make sure that the obvious is clearly stated for all.

  The text is now:

4. Security Considerations

   This entire memo pertains to the provision of public keying material
   for use by key management protocols such as ISAKMP/IKE (RFC2407) [7].

   The IPSECKEY resource record contains information that MUST be
   communicated to the end client in an integral fashion - i.e.  free
   from modification.  The form of this channel is up to the consumer of
   the data - there must be a trust relationship between the end
   consumer of this resource record and the server.  This relationship
   may be end-to-end DNSSEC validation, a TSIG or SIG(0) channel to
   another secure source, a secure local channel on the host, or some
   combination of the above.

   The semantics of this record is outside of the scope of this
   document, so no advice for users of this information is provided.
   Any user of this resource record MUST carefully document their trust
   model, and why the trust model of DNSSEC is appropriate, if that is
   the secure channel used.

Chairs, are there further issues with the -01 document?

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPrqrj4qHRg3pndX9AQHZ0QP/R9lXePKZp8tDSHAHZ/9xBxRUuqgffiM4
OI54ZfkP4HTgjORW1RuX+rvLW3ghHg/fOCc7uhMTnKNM/5sbTlCRiVn4r/jFbECe
7DDcxUTv3AcJ8wNcYduqNL5+xQP5KDQDTmmtmftTBIUs2GF1uDg5uH3zoRXYCgfs
tc4ICwn32o8=
=2oy5
-----END PGP SIGNATURE-----
-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.

References:
- Re: [IPSECKEY] the -01 draft
  - From: Simon Josefsson <jas@extundo.com>

Prev by Date: Re: [IPSECKEY] the -01 draft
Next by Date: Re: [IPSECKEY] "example" IPv6 blocks
Prev by thread: Re: [IPSECKEY] the -01 draft
Next by thread: [IPSECKEY] meta-list info
Index(es):
- Date
- Thread