Hi Paul, > > On Oct 27, 2014, at 1:03 AM, Hosnieh Rafiee <hosnieh.raf...@huawei.com> > wrote: > > I guess you have heard about CGA-TSIG. What do you think about the > approach explained there? > > Is still has many confusing dependencies that make it hard to > understand, and it vastly oversells the IPv4 capabilities.
Would you please clarify the problem. I would welcome any comments to improve it and open for any comments. Of course, I need to know the exact problem that I can address it clearly. Which part of the draft is not readable? Which section needs improvements which is not easily understandable? One of the problem that I tried to address in this version is to improve readability. Joel helped me to make it readable. But if we missed anything, I need its exact section that is not well-written so that I can address it. About IP based, DNS and all other services are working on IP addresses and as far as I know they are also not behind any NAT or middle box devices that makes it impossible to verify them IP based. Resolvers also are verified at the moment on clients based on their source IP address. Now, simply the idea behind cga-tsig is just the resolver sign their messages and by verifying this signature, the bindings help to provide to authenticate this message. Then the client can use this public key of the resolver to encrypt a random value (used as a session key) and then encrypt the whole message using this random value and AES algorithm. > > What do you think? > > It is a distraction for this WG and should not be considered. There might be several solution in this regard. This draft is also simply a solution to DNS privacy (providing both authentication and required encryption easily). So why do you think it is distraction for the WG that addresses privacy? Thanks, Best, Hosnieh _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
