Re: DNSEXT WGLC: TKEY Renewal Mode-02

[Yuji KAMITE <y.kamite@ntt.com>]

> Which approach is better is a matter to think about, but unless there
> is a downside to allowing a tkey delete request to be signed with
> a partially revoked key (and I can't think of one off the top of
> my head, since deleting a key can be construed as part of a mechanism
> of using RFC 2930 to renew the key), then it would be nice if the 
> protocol didn't preclude this possibility -- and allowing it would 
> certainly improve at least on deployed implementation -- which 
> currently has a hokey client side management of "is this key about 
> to expire" logic.  

I understand your point. I've noticed the behavior that
client only requests the deletion of it (or deletion of
the keys derived from it) signed with the partially revoked key
itself, would not occur any serious problems. 

Obviously, this draft shows the rollover process based on
PartialRevoke and following Renewal request, not requiring
deletion request; however, as you said, it is also important
to consider the friendliness with current deployment.
I agree that it must not preclude other possibility
without particular reasons.  Thanks.


> 
> 2) Just a minor thing -- I think section 1.3 would be clearer
> if paragraph 3 mentioned that the messages in the key renewal
> procedure are (or can be?) signed with the partially revoked key
> (I realise this is mentioned later, but it was my first question
> as I was reading it ...)

Now I'm going to consider modification.


---
Yuji Kamite (E-mail:y.kamite@ntt.com)
NTT Communications Corporation
         TEL: +81-3-6800-3261 FAX: +81-3-5365-2990

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>