On Thu, Jan 21, 2010 at 10:48:52AM -0500, Edward Lewis wrote: > At 10:39 -0500 1/21/10, Andrew Sullivan wrote: >> >> Maybe this is the problem? > > Problem?
It that it seems to be the occasion of a lot of disagreement with the document. That is, in many cases, perhaps the advice should simply be, "The ZSK/KSK split is useful in some circumstances, but for most applications one key is sufficient." Or some such. I'm not proposing this text, I'm asking. > Not everyone has an automated registration interface (making that a > reason to have a KSK/ZSK still hold). Sure, but this may well be the exception and not the rule. > And the key word above is "assumptions" - once we know for a fact that a > ZSK of 1024 bits is good for a year no matter how much it is used and Nobody can ever know that for a fact, because it would require proving impossible that such a key could be cracked. Predictions of future impossibility are hard to prove. This is a question of trade-off, not facts, and one of the questions is the degree to which two keys themselves introduce risks that aren't offset by the gains they might produce. I simply don't know the answer, but it seems to me that EKR is asking the right question. A -- Andrew Sullivan a...@shinkuro.com Shinkuro, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
