[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[IPSECKEY] new draft -08
-----BEGIN PGP SIGNED MESSAGE-----
Hi, I posted my comments on Wednesday.
They are at:
http://www.sandelman.ottawa.on.ca/lists/html/ipseckey/msg00390.html
http://www.sandelman.ottawa.on.ca/lists/html/ipseckey/msg00391.html
I had to get the newest XML RFC bibliography to be able to format with
the suggested updates to various RFCs. (They really are new)
I would appreciate some feedback on this.
http://www.sandelman.ca/SSW/ietf/ipsec/key/ has the -08 draft.
Repeat of questions:
IESG> say "unsigned"? also, why not just specify the semantics of the
IESG> preference here, rather than pointing to a (rather unrelated) MX
IESG> record RR? Hunting for the MX text in another document seems
IESG> suboptimal (and results in an odd normative reference).
Chairs? Copy and paste from 1035?
We already reference 1035 for other reasons.
IESG> > Gateways listed in IPSECKEY records with lower precedence are
IESG> > to be
IESG> > attempted first. Where there is a tie in precedence, the order
IESG> > should be non-deterministic.
IESG>
IESG> Note: the above text seems out of place, given the previous paragraph
IESG> which just points to MX. Can't you just specify the behavior here (in
IESG> its entirety) and remove the normative dependency?
We could do that. Chairs?
IESG> Bert Wijnen:
IESG> Bigger issue:
IESG>
IESG> - The examples use the reverse DNS records to convey IPSECKEY record.
IESG> Does this have some unstated assumptions about the deployment of
IESG> IPSECKEY (e.g., to be usable, the participating nodes should record
IESG> the RRs in reverse records), or is this just a coincidence?
IESG> I note that the document does not discuss the deployment at all, but
IESG> that is probably intentional.
IESG>
IESG> If there is no connection to the reverse records, I'd suggest
IESG> rewording at least 3 of the 5 examples to use e.g. "nodeX.example.com
IESG> IN IPSECKEY ..."; if there is a requirement for reverse records, this
IESG> issue needs to be explicitly discussed.. DNS deployment folks might
IESG> have something to say about that :-)
Chairs. Reverse is clearly in scope here.
Can you discuss with Bert?
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBP94WdYqHRg3pndX9AQFTuQP/cdslnnRDy0Pz++oR2F7rwTs9BPRTcwVL
GF98nnR/k5y4dBbFeXXxB0LbOB529ZEeApiAUT7jFzinABZB6kbBRPAiGJF+iH+t
RRCm/8RK+dBwFf03RuZoi3c64UivnivBVN5q7fqfDjG698KDWLoYn9EjERscn9N2
FFSJMBmtoRA=
=jvH1
-----END PGP SIGNATURE-----
-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.