On Mon, Nov 03, 2008 at 04:12:02PM +0000, Jim Reid wrote:
On Nov 3, 2008, at 16:05, bmanning@vacation.karoshi.com wrote:
10. The organisation that generates the root zone file must hold the private part of the zone signing key.
the imperative in this point is made with zero justification. why the "must hold"?
Well, it will be hard to sign the root if the entity that generates the zone hasn't got access to the private part of the ZSK.
thats hardly true - unless the presumptive argument is that the generator also signs. going w/ your earlier thread, the pragmatic approach (get the zoen signed this decade) is exactly down that line of argument. I, however, am taking a slightly divergent POV. I think it si required to create a third party to generate/hold/use the keys (some blend of options #3 and #6 in the graphics) a strictly technical solution would be to eliminate two of the three parties currently involved. there is no technical reason things are structured they way they are today. there are sound political reasons to create a new structure, one that does not assemble the data or publish the data but simply attests to the data. anyway, point 10 woudl be clearer if the reason fo rthe must was made explicit. --bill