diff options
Diffstat (limited to 'draft-schanzen-gns.xml')
-rw-r--r-- | draft-schanzen-gns.xml | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index 5f38d97..49faeeb 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml | |||
@@ -422,7 +422,7 @@ | |||
422 | <dt>Sign(d,message) -> signature, Sign(d',message) -> signature</dt> | 422 | <dt>Sign(d,message) -> signature, Sign(d',message) -> signature</dt> |
423 | <dd> | 423 | <dd> |
424 | is a function to sign a message (typically encrypted record data) using the (blinded) private | 424 | is a function to sign a message (typically encrypted record data) using the (blinded) private |
425 | key d (d'), yielding an unforgable cryptographic signature. | 425 | key d (d'), yielding an unforgeable cryptographic signature. |
426 | In order to leverage performance-enhancing caching features of certain | 426 | In order to leverage performance-enhancing caching features of certain |
427 | underlying storages, in particular DHTs, a deterministic signature | 427 | underlying storages, in particular DHTs, a deterministic signature |
428 | scheme is recommended. | 428 | scheme is recommended. |
@@ -432,7 +432,7 @@ | |||
432 | is a function to verify the signature was created by | 432 | is a function to verify the signature was created by |
433 | the private key d (or derived key d') corresponding to | 433 | the private key d (or derived key d') corresponding to |
434 | the zone key zk (or derived zone key zk') | 434 | the zone key zk (or derived zone key zk') |
435 | where d,zk := Keygen(). If deriviations were used, they | 435 | where d,zk := Keygen(). If derivations were used, they |
436 | must have used the same label. | 436 | must have used the same label. |
437 | The function returns a boolean value of "TRUE" if the signature is valid, | 437 | The function returns a boolean value of "TRUE" if the signature is valid, |
438 | and otherwise "FALSE". | 438 | and otherwise "FALSE". |
@@ -687,7 +687,7 @@ zTLD := zkl[126..129].zkl[63..125].zkl[0..62] | |||
687 | <dd> | 687 | <dd> |
688 | denotes the absolute 64-bit date when the revocation was computed. | 688 | denotes the absolute 64-bit date when the revocation was computed. |
689 | In microseconds since midnight (0 hour), January 1, 1970 UTC in network | 689 | In microseconds since midnight (0 hour), January 1, 1970 UTC in network |
690 | byte order. This is the same value as the timestamp used in the | 690 | byte order. This is the same value as the time stamp used in the |
691 | individual PoW calculations. | 691 | individual PoW calculations. |
692 | </dd> | 692 | </dd> |
693 | <dt>TTL</dt> | 693 | <dt>TTL</dt> |
@@ -719,7 +719,7 @@ zTLD := zkl[126..129].zkl[63..125].zkl[0..62] | |||
719 | </dd> | 719 | </dd> |
720 | <dt>SIGNATURE</dt> | 720 | <dt>SIGNATURE</dt> |
721 | <dd> | 721 | <dd> |
722 | A signature over a timestamp and the zone zk of the zone | 722 | A signature over a time stamp and the zone zk of the zone |
723 | which is revoked and corresponds to the key used in the PoW. | 723 | which is revoked and corresponds to the key used in the PoW. |
724 | The signature is created using the Sign() function of | 724 | The signature is created using the Sign() function of |
725 | the cryptosystem of the zone and the private key | 725 | the cryptosystem of the zone and the private key |
@@ -729,7 +729,7 @@ zTLD := zkl[126..129].zkl[63..125].zkl[0..62] | |||
729 | <!-- FIXME Do we really need a purpose? --> | 729 | <!-- FIXME Do we really need a purpose? --> |
730 | <t> | 730 | <t> |
731 | The signature over the public key covers a 32-bit header | 731 | The signature over the public key covers a 32-bit header |
732 | prefixed to the timestamp and public key fields. | 732 | prefixed to the time stamp and public key fields. |
733 | The header includes the key length and signature purpose. | 733 | The header includes the key length and signature purpose. |
734 | The wire format is illustrated | 734 | The wire format is illustrated |
735 | in <xref target="figure_revsigwithpseudo"/>. | 735 | in <xref target="figure_revsigwithpseudo"/>. |
@@ -779,7 +779,7 @@ zTLD := zkl[126..129].zkl[63..125].zkl[0..62] | |||
779 | <li>The signature MUST be verified against the zone key.</li> | 779 | <li>The signature MUST be verified against the zone key.</li> |
780 | <li>The set of POW values MUST NOT contain duplicates which MUST be checked by verifying that the values are strictly monotonically increasing.</li> | 780 | <li>The set of POW values MUST NOT contain duplicates which MUST be checked by verifying that the values are strictly monotonically increasing.</li> |
781 | <li>The average number of leading zeroes D' resulting from the provided | 781 | <li>The average number of leading zeroes D' resulting from the provided |
782 | POW values MUST be greater than and not equal to D. Implementors | 782 | POW values MUST be greater than and not equal to D. Implementers |
783 | MUST NOT use an integer data type to calculate or represent D'.</li> | 783 | MUST NOT use an integer data type to calculate or represent D'.</li> |
784 | <li>The validation period (TTL) of the revocation is calculated as | 784 | <li>The validation period (TTL) of the revocation is calculated as |
785 | (D'-D) * EPOCH * 1.1. The EPOCH is extended by | 785 | (D'-D) * EPOCH * 1.1. The EPOCH is extended by |
@@ -1451,7 +1451,7 @@ S-Decrypt(zk,label,expiration,ciphertext): | |||
1451 | <t> | 1451 | <t> |
1452 | NOTE: If an application uses DNS names obtained from GNS2DNS records | 1452 | NOTE: If an application uses DNS names obtained from GNS2DNS records |
1453 | in a DNS request they must first be converted to a punycode representation | 1453 | in a DNS request they must first be converted to a punycode representation |
1454 | <xref target="RFC5890" />. | 1454 | <xref target="RFC5890" />. <!-- punycode or IDNA? --> |
1455 | </t> | 1455 | </t> |
1456 | </section> | 1456 | </section> |
1457 | </section> | 1457 | </section> |
@@ -2462,7 +2462,7 @@ NICK: john (Supplemental) | |||
2462 | via a revocation message would only be secure as long as both | 2462 | via a revocation message would only be secure as long as both |
2463 | cryptosystems are still secure against forgery. Such a planned, | 2463 | cryptosystems are still secure against forgery. Such a planned, |
2464 | non-emergency migration to another cryptosystem should be done by | 2464 | non-emergency migration to another cryptosystem should be done by |
2465 | running zones for both ciphersystems in parallel for a while. The | 2465 | running zones for both cipher systems in parallel for a while. The |
2466 | migration would conclude by revoking the legacy zone key only once | 2466 | migration would conclude by revoking the legacy zone key only once |
2467 | it is deemed no longer secure, and hopefully after most users have | 2467 | it is deemed no longer secure, and hopefully after most users have |
2468 | migrated to the replacement. | 2468 | migrated to the replacement. |