Eliot -

I read the first specification: draft-noss-jeftovic-groundmark-core

Here are some comments on your specification:

- I fully agree with this sentiment: "when an agent presents itself to a
counterparty, is there an accountable party behind it, established without
a central registry." Agents need an anchored identity for any contracts to
be meaningful.

- I need more convincing that "domain" is that identity anchor. I also
think DKIM analogy ineeds work. DKIM is not just a public key that happens
to be in the DNS. It authenticates outgoing email as originating from a
given domain because the email address and the domain share the same
namespace and the domain controls the MX record that designates the mail
server that holds the DKIM public key. In the groundmark framework, the
domain is just a discovery point for a public key.

- DNS can be a useful discovery mechanism for agents it hosts; the document
is less convincing that the domain provides a natural namespace for agent
identity. Identity management requires uniqueness management and collision
avoidance among other things.

- DNSSEC "MUST" seems like a steep requirement. While extra security is
always a good thing, it must be commensurate with other DNS assets. If DKIM
and DMARC - which you use as analogous concepts, operate without DNSSEC,
why GroundMark warrants DNSSEC MUST needs explanation.

- I think explicit statement of non-goals is good.

- The document has put a lot of thought into the cryptographic attestation
which is good. I'd encourage a more thorough description of what agent
"identity" means. Given "procurement.enterprise.com", how would I know it
is not some url, but an agent? If an agent is cross-organizational and have
different urls on two different domains but is really the same agent, does
the domain affiliation create split identity unnecessarily?

- FYI: I recently reviewed a specification with similar goals and
architecture for associating keys with email identities.
https://datatracker.ietf.org/doc/draft-swaminathan-dka-framework/

Good luck.

Bob Traverz
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to