On Thu, 21 Jan 2010, Edward Lewis wrote:
If I were to fit this into the text below...
#<t>
# The motivation for having the KSK's effectivity period
# longer than the ZSK's effectivity period is rooted in the
# operational consideration that a change in the KSK involves
# interaction with an external entity, usually the parent zone
# or possibly a trust anchor repository, and this interaction
# is anticipated to have significant latency (including the
# need to verify the other party has made the necessary change.
#</t>
Maybe make it more explicit that an intra-organisation key change can
and probably should happen frequently, where-as an inter-organisational
key change, because it involves other organisations, is more difficult
and should be kept to a minimum?
Again, think of a zone administrator who had access to a private ZSK
leaving your organisation. It would be a good security policy to rollover
the ZSK as part of the procedure of revoking this person's access to
the organisation. And a good reason to have an HSM so you do not need
to do the same with the KSK.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
