Re: Transition from 2535 to opt-in

[Roy Arends <Roy.Arends@nominum.com>]

On Thu, 6 Dec 2001, Ted Lindgreen wrote:

> then I argue that authenticated denial is not needed, as we now
> only need to prove that a certain RR that we want to be secured
> verifies. Example:
>
>  I (secure aware user) want to setup an ssh/ipsec tunnel, do
>  banking business, or whatever, with you (secure aware site).
>  It would be very handy, if I can get the key-info from DNS,
>  but I would only use that info when it verifies.
>  The same is true for the other side, as you want to make sure
>  that I am the one I pretend to be.
>  Now there are only two possibilities that matter:
>  1. It verifies ==> OK
>  2. It does not verify ==> not OK, but further it is totally
>     irrelevant whether the info was bad, spoofed, had an
>     outdated sig, or was intentionally not secured: for its
>     usage it is just not good enough.



ridiculous



1. it verifies ==> OK
2. it does not verify ==> not OK.

Then I want to know what went wrong.

 -) Spoofed ?
 -) DoSed ?
 -) Simple typo on my side ?
 -) some other unexpected variable ?

       OR

 -) is it VERIFIABLY UNSECURE ?

The difference between the first 4 points and the last is authenticated
denial. With the first 4 you simply don't know what went wrong.

When you identify your bank and it is not ok, you then simply go home and
tell yourself "not ok" and don't care about it ? The rest is irrelevant ?
Or could it be that the bank moved, you're lost, you're in the wrong city
or simply are at the wrong bank.

There is no difference between a signed RRset AND it's authenticated
denial in opt-in and in rfc 2535, whether we're talking usage or
importance.

Roy Arends
Nominum



to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.