Hello, Mark Jeftovic (easyDNS) and I filed two Internet-Drafts in May. I am writing to ask this list to look hard at the DNS-layer design before anything else.
A short word on who I am, for those who do not know me: I spent many years as CEO of Tucows. Groundmark is independent of any company. The motivation is the gap left by the payment and authorization work now moving quickly around agents. Those efforts answer how an agent pays or what it is permitted to do in a session. None answers a prior question: when an agent presents itself to a counterparty, is there an accountable party behind it, established without a central registry. We think the answer is the same place DKIM put it. A key in a TXT record, anchored to a registrant a registrar has already verified. What the core draft actually adds to DNS is small and, we hope, unobjectionable: - Two TXT records under RFC 8552 reserved underscore labels: _agentid (an Ed25519 signing key) and _agentclaim (a reference to an externally hosted attestation), both tagged v=gm1. - Request authentication is a profile of HTTP Message Signatures (RFC 9421), not a new mechanism. - DNSSEC is a MUST in the verification flow, borne by participants rather than asked of the whole internet. - DNS remains discovery only. The attestation itself is fetched over HTTPS; DNS holds a reference, not the claim. The IANA ask is registration of _agentid and _agentclaim in the Underscored and Globally Scoped DNS Node Names registry (RFC 8552). That, the DNSSEC requirement, and coexistence with _dmarc, DKIM, TLSA, and the ANS and DNS-AID drafts are the places I most want your scrutiny. A companion draft carries the attestation semantics, kept separate so the DNS work stands on its own. Core: draft-noss-jeftovic-groundmark-core-00 Attestation: draft-noss-jeftovic-groundmark-attestation-00 I would value the review, sharp or otherwise. EN _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
