-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Sorry to enter the discussion late, but I have a couple comments and hopefully helpful suggestions. I've ellided anything that I agree with. I should also add that I think the WG presenting a position on this is an excellent idea, and I commend Jim for his hard work and patience on this. Jim Reid wrote:
# # $Id: ntia-draft,v 1.7 2008/11/07 11:55:18 jim Exp $ #
The RIPE community (or DNS WG?)
I'd say "The RIPE DNS Working Group" here, and "the Working Group" hereafter.
It is to be expected that a community as diverse as RIPE cannot have a unified set of detailed answers to the NTIA questionnaire.
However
I would say "Therefore" here.
several members of the RIPE community will be individually responding to that questionnaire.
5. Deployment of a signed root should be done in a timely but not hasty manner.
To my tastes this sounds a little too much like "diplo-speak." That sentence doesn't have any technical meaning, so if we are presenting ourselves as technologists I would not say this at all, or at least say it differently.
6. To assist with a timely deployment, any procedural changes introduced by DNSSEC should be aligned with the current process for coordinating changes to and the distribution of the root zone. However those procedural changes should provide sufficient flexibility to allow for the roles and processes as well as the entities holding those roles to be changed after suitable consultations have taken place.
Again, I can't find any actual meaning in that paragraph.
7. Policies and processes for signing the root zone should make it easy for TLDs to supply keys and credentials so the delegations for those TLDs can benefit from a common DNSSEC trust anchor, the signed root.
I don't like this one at all, as "easy" has no technical meaning, and it's way too generic. I also think that the bit about "benefiting from a common trust anchor" deserves its own line item given that it's a major motivating factor for signing the root. How about something like: Because DNSSEC keys have technical properties similar to name server delegation records the procedure for submitting and authenticating keys should be very similar, if not identical to that of submitting delegation records.
9. No data should be moved between organisations
related to the process of editing, publishing, or signing the root zone
without appropriate authenticity and integrity checking.
10. The public part of the key signing key must be distributed as widely as possible.
Once again IMO this sentence has no technical meaning, but I would not object to it being included.
11. The organisation that generates the root zone file must sign the file and therefore hold the private part of the zone signing key.
I get very icky feelings reading this sentence. Not sure why yet ... hth, Doug ObDisclaimer: Speaking only for myself, and not for any past, future, present, or inter-dimensional employers. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEAREDAAYFAkkUpuwACgkQyIakK9Wy8PviPACgpeTvoe81+QAkr0KSD6yVVFlR vNIAoI+mIHXCn/HmNOesE9jZawjDx7YQ =Kc1/ -----END PGP SIGNATURE-----