I believe the KIDNS charter is generally good and I support forming this WG to work on this topic, however I have one important concern: > Specify mechanisms and techniques that allow Internet applications to > establish cryptographically secured communications by using information > distributed through the DNS and authenticated using DNSSEC to obtain > public keys which are associated with a service located at a > domain name. I fear this wording will lead to a standards that _requires_ people to adopt the sloppy security practice to use the same credential for two (or more) unrelated services. By only locating services by domain name, the separation between ports (e.g., 443 or 587) and transport protocols (UDP vs TCP) are lost. I object to that limitation. I believe it is important that any solution in this space supports different certificates for different ports/protocols on the same host. My experience with how protocols are deployed is that it is common for both web (HTTPS) and e-mail (SMTP with STARTTLS) to be hosted on the same domain name but with different certificates. For example, the host "lists.debian.org" is reachable with HTTPS (with a matching certificate) and also through SMTP with STARTTLS (also with a matching certificate). The services are using different certificates! There are other examples, lists.ubuntu.com and even mail.ietf.org, even if not all appear to support SMTP+STARTTLS. Thus, I'd like to see the charter clarify that services are located at a distinct port/protocol/domain-name rather than only at a domain-name. /Simon _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf