1 files changed, 40 insertions, 11 deletions
diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml
index f113141..b36f53a 100644
--- a/draft-schanzen-gns.xml
+++ b/draft-schanzen-gns.xml
@@ -1733,17 +1733,8 @@ GET(key) -> value
     </t>
     <t>
       Resource records are grouped by their respective labels,
-       encrypted and published together in a single resource records block
+       encrypted and published together in a single records block
-       (RRBLOCK) in the storage under a key q as illustrated in <xref target="figure_storage_publish"/>.
+       (RRBLOCK) in the storage under a storage key q as illustrated in <xref target="figure_storage_publish"/>.
-       The key q is derived from the zone key and the respective
-       label of the contained records.
-       The required knowledge of both zone key and label in combination
-       with the similarly derived symmetric secret keys and blinded zone keys
-       ensure query privacy (see <xref target="RFC8324"/>, Section 3.5).
-       The storage key derivation and records
-       block creation is specified in the following sections.
-       The implementation <bcp14>MUST</bcp14> use the PUT storage procedure in order to update
-       the zone contents accordingly.
     </t>
     <figure anchor="figure_storage_publish" title="Management and publication of local zones in the distributed storage.">
       <artwork name="" type="" align="left" alt=""><![CDATA[
@@ -1773,6 +1764,44 @@ GET(key) -> value
         ]]></artwork>
     </figure>
+     <t>
+       The storage key is derived from the zone key and the respective
+       label of the contained records.
+       The required knowledge of both zone key and label in combination
+       with the similarly derived symmetric secret keys and blinded zone keys
+       ensure query privacy (see <xref target="RFC8324"/>, Section 3.5).
+       The storage Key derivation and records
+       block creation using is specified in the following sections and a high-level
+       overview is illustrated in <xref target="figure_storage_derivations"/>.
+       The implementation <bcp14>MUST</bcp14> use the PUT storage procedure in order to update the zone contents accordingly.
+     </t>
+     <figure anchor="figure_storage_derivations" title="Storage key and records block creation overview.">
+       <artwork name="" type="" align="left" alt=""><![CDATA[
+----------+ +-------+ +------------+ +-------------+
+| Zone Key | | Label | | Record Set | | Private Key |
+----------+ +-------+ +------------+ +-------------+
+    |          |            |               |
+    |          |            v               |
+    |          |           +-----------+    |
+    |          +---------->| S-Encrypt |    |
+    +----------|---------->+-----------+    |
+    |          |               |    |       |
+    |          |               |    v       v
+    |          |               |   +-------------+
+    |          +---------------|-->| SignDerived |
+    |          |               |   +-------------+
+    |          |               |        |
+    |          v               v        v
+    |      +------+        +---------------+
+    +----->| ZKDF |------->| Records Block |
+           +------+        +---------------+
+              |
+              v
+           +------+        +-------------+
+           | Hash |------->| Storage Key |
+           +------+        +-------------+
+         ]]></artwork>
+     </figure>
     <section anchor="blinding" numbered="true" toc="default">
       <name>The Storage Key</name>
       <t>

diff --git a/draft-schanzen-gns.xml b/draft-schanzen-gns.xml index f113141..b36f53a 100644 --- a/draft-schanzen-gns.xml +++ b/draft-schanzen-gns.xml
@@ -1733,17 +1733,8 @@ GET(key) -> value
1733	</t>	1733	</t>
1734	<t>	1734	<t>
1735	Resource records are grouped by their respective labels,	1735	Resource records are grouped by their respective labels,
1736	encrypted and published together in a single resource records block	1736	encrypted and published together in a single records block
1737	(RRBLOCK) in the storage under a key q as illustrated in <xref target="figure_storage_publish"/>.	1737	(RRBLOCK) in the storage under a storage key q as illustrated in <xref target="figure_storage_publish"/>.
1738	The key q is derived from the zone key and the respective
1739	label of the contained records.
1740	The required knowledge of both zone key and label in combination
1741	with the similarly derived symmetric secret keys and blinded zone keys
1742	ensure query privacy (see <xref target="RFC8324"/>, Section 3.5).
1743	The storage key derivation and records
1744	block creation is specified in the following sections.
1745	The implementation <bcp14>MUST</bcp14> use the PUT storage procedure in order to update
1746	the zone contents accordingly.
1747	</t>	1738	</t>
1748	<figure anchor="figure_storage_publish" title="Management and publication of local zones in the distributed storage.">	1739	<figure anchor="figure_storage_publish" title="Management and publication of local zones in the distributed storage.">
1749	<artwork name="" type="" align="left" alt=""><![CDATA[	1740	<artwork name="" type="" align="left" alt=""><![CDATA[
@@ -1773,6 +1764,44 @@ GET(key) -> value
1773	]]></artwork>	1764	]]></artwork>
1774	</figure>	1765	</figure>
1775		1766
		1767	<t>
		1768	The storage key is derived from the zone key and the respective
		1769	label of the contained records.
		1770	The required knowledge of both zone key and label in combination
		1771	with the similarly derived symmetric secret keys and blinded zone keys
		1772	ensure query privacy (see <xref target="RFC8324"/>, Section 3.5).
		1773	The storage Key derivation and records
		1774	block creation using is specified in the following sections and a high-level
		1775	overview is illustrated in <xref target="figure_storage_derivations"/>.
		1776	The implementation <bcp14>MUST</bcp14> use the PUT storage procedure in order to update the zone contents accordingly.
		1777	</t>
		1778	<figure anchor="figure_storage_derivations" title="Storage key and records block creation overview.">
		1779	<artwork name="" type="" align="left" alt=""><![CDATA[
		1780	+----------+ +-------+ +------------+ +-------------+
		1781	\| Zone Key \| \| Label \| \| Record Set \| \| Private Key \|
		1782	+----------+ +-------+ +------------+ +-------------+
		1783	\| \| \| \|
		1784	\| \| v \|
		1785	\| \| +-----------+ \|
		1786	\| +---------->\| S-Encrypt \| \|
		1787	+----------\|---------->+-----------+ \|
		1788	\| \| \| \| \|
		1789	\| \| \| v v
		1790	\| \| \| +-------------+
		1791	\| +---------------\|-->\| SignDerived \|
		1792	\| \| \| +-------------+
		1793	\| \| \| \|
		1794	\| v v v
		1795	\| +------+ +---------------+
		1796	+----->\| ZKDF \|------->\| Records Block \|
		1797	+------+ +---------------+
		1798	\|
		1799	v
		1800	+------+ +-------------+
		1801	\| Hash \|------->\| Storage Key \|
		1802	+------+ +-------------+
		1803	]]></artwork>
		1804	</figure>
1776	<section anchor="blinding" numbered="true" toc="default">	1805	<section anchor="blinding" numbered="true" toc="default">
1777	<name>The Storage Key</name>	1806	<name>The Storage Key</name>
1778	<t>	1807	<t>