On Tue, Mar 17, 2015 at 01:13:15PM +0000, Wiley, Glen wrote:
> I would like to suggest that we need to begin considering the need for
> users to directly affect the records that refer to them. For example you
> want a user to be able to manage their own public key without getting the
> zone administrator involved directly. One way to do this is to use a
> system that proxies for the zone administrator, but the bottom line is
> that as we move toward user specific data in the DNS we need to begin
> thinking about things a little differently.
It'd be nice if there was a decent authorization model for DNS updates.
In practice one has to use a proxy to implement authorization for DNS
updates.
This is a topic for a different working group, but DANE brings this
problem to the foreground as administrators have to delegate authority
over TLSA RR contents to the owners of the associated end entities (in
this case: the end entities themselves).
Without a standard mechanism for delegation of authority DANE will be
difficult to use in enterprise systems (where TLSA RRs for servers may
not matter so much, but user S/MIME certs will probably matter more). I
suspect that proprietary and/or IMAP (with extensions) email services
will end up acting as the proxies in this case.
("Obviously" one might want to store authorization information in DNS
itself, but the moment one brings user groups into the picture, things
get custom/complicated.)
Nico
--
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
