[prev in list] [next in list] [prev in thread] [next in thread] 

List:       namedroppers
Subject:    Re: repeating my mic comment on auth denial
From:       Jim Reid <jim () rfc1035 ! com>
Date:       2005-03-17 12:23:03
Message-ID: 7138.1111062183 () shaun ! rfc1035 ! com
[Download RAW message or body]

>>>>> "Ben" == Ben Laurie <ben@algroup.co.uk> writes:

    >> Even with 5 years of security expertise as input RFC 2065 was
    >> so operations unfriendly that it took years to fix the problem
    >> and years more to generate a new definition.  I don't want to
    >> repeat that experience.

    Ben> Don't worry, we are committed to producing the tools required
    Ben> to test NSEC3.

Who's "we"? Producing tools and what have you to test NSEC3 is all
very well. But if they're coming from the people who write the NSEC3
draft, that test suite could be unsatisfactory. Please note I'm not
questioning the integrity of those writing the NSEC3 drafts. I am
saying that if the test suite comes from the same source as NSEC3, the
tests could be relying on knowledge that's in the heads of the authors
but not written in the spec; or the tests have too narrow a focus;
etc, etc.

That said, Ed's point is well-made. Once the NSEC3 draft is done,
there should be a period of experimental deployment with workshops and
interoperability events so that the draft can be tweaked if
operational experience suggests that's needed.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>
[prev in list] [next in list] [prev in thread] [next in thread]