Eliot - I read the first specification: draft-noss-jeftovic-groundmark-core
Here are some comments on your specification: - I fully agree with this sentiment: "when an agent presents itself to a counterparty, is there an accountable party behind it, established without a central registry." Agents need an anchored identity for any contracts to be meaningful. - I need more convincing that "domain" is that identity anchor. I also think DKIM analogy ineeds work. DKIM is not just a public key that happens to be in the DNS. It authenticates outgoing email as originating from a given domain because the email address and the domain share the same namespace and the domain controls the MX record that designates the mail server that holds the DKIM public key. In the groundmark framework, the domain is just a discovery point for a public key. - DNS can be a useful discovery mechanism for agents it hosts; the document is less convincing that the domain provides a natural namespace for agent identity. Identity management requires uniqueness management and collision avoidance among other things. - DNSSEC "MUST" seems like a steep requirement. While extra security is always a good thing, it must be commensurate with other DNS assets. If DKIM and DMARC - which you use as analogous concepts, operate without DNSSEC, why GroundMark warrants DNSSEC MUST needs explanation. - I think explicit statement of non-goals is good. - The document has put a lot of thought into the cryptographic attestation which is good. I'd encourage a more thorough description of what agent "identity" means. Given "procurement.enterprise.com", how would I know it is not some url, but an agent? If an agent is cross-organizational and have different urls on two different domains but is really the same agent, does the domain affiliation create split identity unnecessarily? - FYI: I recently reviewed a specification with similar goals and architecture for associating keys with email identities. https://datatracker.ietf.org/doc/draft-swaminathan-dka-framework/ Good luck. Bob Traverz
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
