>> CT-for-PKIX helps a web site administrator determine if a trusted CA ever >> issued a certificate that should not have been issued. >> >> CT-for-DNSSEC helps a DNS zone administrator determine whether a DNS server >> in the hierarchy above the leaf zone ever included a DS record that should >> not have been included. >> >> It would be good to have agreement on the above; feel free to offer changes >> and see if the authors agree. Then we can talk about the relationship >> between the two. >> > > Sounds reasonable to me. > > Does "CT" need to be renamed for DNSSEC? Since we're talking about > transparency of delegation records/keys and not X.509 certificates. > If C means "certification" in the general sense, then I suppose it > might still be applicable since a (signed) DS record certifies the > authenticity of the secure entry point key in a subordinate zone.
"DST"? The definitions sound reasonable, but I'm at a loss as to why you would bother with "CT-for-DNSSEC". The whole point of CT is that the space of X.509 issuers is very large, and the certificates can be presented by any server on the Internet. It's a hassle to check every, say, HTTPS server on the Internet to see if a cert with your name is being provided. In DNSSEC, the set of "issuers" is very small (parent domains), and the DS records originate from a well-defined set of sources (authoritative servers for those domains). Checking those servers is not that much more difficult than checking a CT log, and doesn't require any new protocol. _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
