... Vernon Schryver wrote: > ... >>> I think this comes under "be liberal in what you accept." >> No it doesn't. > > Indeed, "be liberal in what you accept" generally never has and should > not apply to security. Who is liberal enough to accept passwords that > are 90% right and public keys that were revoked only 10% of something > ago? Should it be enough that 90% of a DNSSEC chain verifies? Expired > keys are not the same as signatures that don't verify, but the principle > is the same. Either the chain is valid, or all of the security proofs > that depend on it are invalid.
+1.
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
