Re: MagicType draft

[Samuel Weiler <weiler@tislabs.com>]

On Tue, 16 Nov 2004, Miek Gieben wrote:

> > What happens if there is a mix of DNSSECbis and "this method" keys in a DS
> > set?
...
> But I guess the answer is, you mustn't do that. If we say you MUST NOT
> do that, it would conflict with DNSSECbis.

I don't see the conflict with DNSSECbis.  A co-existence restriction
makes it difficult if not impossible to change between the
non-existence proof mechanisms without going through an unsecure
state, which would not satisfy an identified requirement[1].  Other
than that, I think the restriction would be fine to add, even if it
means a change to DNSSECbis.

-- Sam

[1]  This may or may not be a problem.  Our requirements document
doesn't tell us whether any of those who are unwilling to do on-line
signing (the epsilon approach or the MagicType approach) also need to
be able to transition from enumerable NSEC to something new without
going unsecure.  I'd still like to see that analysis.  For
clarification:
http://ops.ietf.org/lists/namedroppers/namedroppers.2004/msg01994.html
http://ops.ietf.org/lists/namedroppers/namedroppers.2004/msg01823.html

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>