From jim at rfc1035.com Tue Sep 29 20:50:19 2009 From: jim at rfc1035.com (Jim Reid) Date: Tue, 29 Sep 2009 19:50:19 +0100 Subject: [dnssec-key-tf] do we need to do anything for RIPE59? Message-ID: Colleagues, our task force is not quite dead. And not quite alive. You might recall that we put it into hibernation because the IANA ITAR was about to be created. There was an unofficial action item to revive the task force at some point and assess how well the IANA ITAR met the characteristics that we developed last year: neutrality, processes and so on. I'd like to be able to report some sort of progress to the WG in Lisbon. My personal preference would be to declare victory and disband the task force. However, this is not my decision to make. So can I ask you all for your views on the following? [1] Can we discuss the IANA ITAR on this list and reach a decision? [2] Is the IANA ITAR "good enough" for us to consider the TF's work done? [3] Should we try to physically meet in Lisbon before the WG on Thursday? [4] Should we open up an Action Item for the WG to review the IANA ITAR? [5] Are there any other options or strategies I've overlooked? From roy at dnss.ec Tue Sep 29 22:25:12 2009 From: roy at dnss.ec (Roy Arends) Date: Tue, 29 Sep 2009 16:25:12 -0400 Subject: [dnssec-key-tf] do we need to do anything for RIPE59? In-Reply-To: References: Message-ID: On Sep 29, 2009, at 2:50 PM, Jim Reid wrote: > Colleagues, our task force is not quite dead. And not quite alive. > You might recall that we put it into hibernation because the IANA > ITAR was about to be created. There was an unofficial action item to > revive the task force at some point and assess how well the IANA > ITAR met the characteristics that we developed last year: > neutrality, processes and so on. > > I'd like to be able to report some sort of progress to the WG in > Lisbon. My personal preference would be to declare victory and > disband the task force. However, this is not my decision to make. So > can I ask you all for your views on the following? > > [1] Can we discuss the IANA ITAR on this list and reach a decision? I don't see the point. What would be the gain? itar exists, does the job. > [2] Is the IANA ITAR "good enough" for us to consider the TF's work > done? Yes. > [3] Should we try to physically meet in Lisbon before the WG on > Thursday? I might not be there. > [4] Should we open up an Action Item for the WG to review the IANA > ITAR? No. > [5] Are there any other options or strategies I've overlooked? To some up, I agree with you that we should declare victory and disband the task force. Roy From jim at rfc1035.com Tue Sep 29 22:35:37 2009 From: jim at rfc1035.com (Jim Reid) Date: Tue, 29 Sep 2009 21:35:37 +0100 Subject: [dnssec-key-tf] do we need to do anything for RIPE59? In-Reply-To: References: Message-ID: <9C716586-AFE8-4298-B566-EC35EB59AF43@rfc1035.com> On 29 Sep 2009, at 21:25, Roy Arends wrote: >> [1] Can we discuss the IANA ITAR on this list and reach a decision? > > I don't see the point. What would be the gain? itar exists, does the > job. Thanks for your reply Roy. Although it may not be necessary for the task force to discuss the ITAR in detail, there is a need for some discussion, even if it's just to confirm that the task force is in agreement. From pk at DENIC.DE Wed Sep 30 10:42:17 2009 From: pk at DENIC.DE (Peter Koch) Date: Wed, 30 Sep 2009 10:42:17 +0200 Subject: [dnssec-key-tf] do we need to do anything for RIPE59? In-Reply-To: References: Message-ID: <20090930084217.GA21148@unknown.office.denic.de> Jim, all, > [1] Can we discuss the IANA ITAR on this list and reach a decision? yes, please. It remains for us to evaluate the ITAR against the TAR criteria. For those, we'd need a public reference. The TF home page lists a "letter sent to ICANN" , but that's the "Get the root signed" plea. My recollection is that the final result of the TF is reflected in this mail to the DNS-WG dated 27 April 2008: It would be good to have a stable reference, matbe even to the communication with ICANN/IANA. > [2] Is the IANA ITAR "good enough" for us to consider the TF's work > done? ##> [1] The TAR should be technology neutral. It should not exclude or ##> prevent different flavours of trust anchors from being published, ##> provided those trust anchors conform to the relevant standards. I don't recall what "flavours" we had in mind here, but the IANA ITAR seems pretty algorithm neutral. ##> [2] The TAR should be OS/DNS implementation neutral. Tools and ##> documentation should be provided for use of the repository with common ##> DNS resolver and name server platforms. I believe ITAR is vendor neutral. ##> Comment: IANA should publish such documentation and tools, or pointers ##> to them. Once we know details of repository, we can help putting ##> together this documentation. ##> ##> [3] The TAR should verify that the keying material it receives comes ##> from an authorised source, verify it is correctly formatted and verify ##> it is consistent with what is published in the TLD zone before ##> publishing it. There should also be a secure channel for ##> authenticating the repository and any data it is publishing. I believe this is the case. ##> Comment: Using the same channels IANA uses to process update requests ##> to the root zone from TLDs should be fine. We do not mean special new ##> channels. https delivery and possibly checksums are sufficient for ##> publication. ##> ##> [4] A process is needed to revoke a trust anchor and notify those who ##> may be using the now withdrawn or invalid trust anchor. ##> ##> Comment: An opt-in mailing list for operational news should be ##> sufficient to satisfy this. provides such a list. ##> [5] The TAR should be clear what support, if any, is available. still says: What is a beta? This is a preliminary testing version of the service for the community to try. We will take feedback and improve the product before it is considered fully production ready. In particular, we appreciate feedback on problems that occur, as well as features that could be added to make the service more useful. You can send any comments to itar at iana.org. That sounds like an offer of support to me. ##> [6] The TAR must have a published exit strategy. ##> ##> Comment: The proposal includes that. This is a temporary service until the DNS root zone is signed, at which time the keying material will be placed in the root zone itself, and this service will be discontinued. This part might benefit from a clarification. The political aim is clear and well stated, but I wonder how "discontinued" will look in practice. Will the files disappear, will they be empty, will they be replaced by a file containing only the root TA(s)? ##> [7] The TAR should only publish keying material with the consent of ##> the respective key manager. I believe that is the case. > [3] Should we try to physically meet in Lisbon before the WG on > Thursday? That doesn't seem necessary to me. > [4] Should we open up an Action Item for the WG to review the IANA ITAR? We can engage into formalities here. Since the TF was created by the DNS WG it should report back there, make a recommendation and ask for approval which would dissolve the TF. There's no further action for the WG. Of course, the question is: will the ITAR ever leave beta state or is it waiting for "OBE"? > [5] Are there any other options or strategies I've overlooked? Thanks for bringing this up again! -Peter From jim at rfc1035.com Wed Sep 30 11:44:18 2009 From: jim at rfc1035.com (Jim Reid) Date: Wed, 30 Sep 2009 10:44:18 +0100 Subject: [dnssec-key-tf] do we need to do anything for RIPE59? In-Reply-To: <20090930084217.GA21148@unknown.office.denic.de> References: <20090930084217.GA21148@unknown.office.denic.de> Message-ID: <3AC5FA5F-571C-4C87-A06D-6C7FDD78F2D5@rfc1035.com> On 30 Sep 2009, at 09:42, Peter Koch wrote: > Of course, the question is: will the ITAR ever leave beta state or > is it > waiting for "OBE"? Perhaps that question is best directed to Leo during the IANA update agenda item? Thanks for the other comments Peter.