[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Evaluation: draft-ietf-dnsext-keyrr-key-signing-flag

To: iesg@ietf.org
Subject: Evaluation: draft-ietf-dnsext-keyrr-key-signing-flag
From: Russ Housley <housley@vigilsec.com>
Date: Wed, 01 Oct 2003 10:28:16 -0400

DISCUSS:

The document fails to distinguish public keys and private keys. This is prevalent throughout the document. For example:

    One key is used to sign just the zone's KEY
    resource record (RR) set and is the key
    referenced by a DS RR at the parent or
    configured statically in a resolver.

The first half of the sentence is referring to the private key that is used to sign the RR set, and the second have of the sentence is referring to the public key that is used to validate the signature on the RR set. People who are very familiar with public key cryptography may not get confused, but I believe that many implementors will be mislead.

It is interesting to note that the 'KSK' and 'ZSK' labels are being applied to the public keys, which are used for signature validation, not the private keys, which are used for signing.

COMMENT:

In section 2, the document says: "The SEP bit (TBD) ..." The bit position of the SEP flag bit has been set, so I do not understand the "TBD."

Prev by Date: FW: Who SHOULD be Members of the WG mailing list !!??
Next by Date: RE: draft-ietf-disman-conditionmib
Previous by thread: FW: Who SHOULD be Members of the WG mailing list !!??
Next by thread: evaluation: draft-ietf-dnsext-keyrr-key-signing-flag
Index(es):
- Date
- Thread